forked from wortell/KQL
-
Notifications
You must be signed in to change notification settings - Fork 1
/
KQL_sysmon_susp_rdp.txt
49 lines (48 loc) · 2 KB
/
KQL_sysmon_susp_rdp.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
// title: Suspicious Outbound RDP Connections
// description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
//
// reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
//
// original author: Markus Neis (Swisscom)
// KQL author: Maarten Goet (condicio)
//
// MITRE ATT&CK: lateral_movement, t1210
Event
| parse EventData with
* 'Data Name="RuleName">' RuleName '<'
* 'Data Name="UtcTime">' UtcTime '<'
* 'Data Name="ProcessGuid">' ProcessGuid '<'
* 'Data Name="ProcessId">' ProcessId '<'
* 'Data Name="Image">' Image '<'
* 'Data Name="User">' User '<'
* 'Data Name="Protocol">' Protocol '<'
* 'Data Name="Initiated">' Initiated '<'
* 'Data Name="SourceIsIpv6">' SourceIsIpv6 '<'
* 'Data Name="SourceIp">' SourceIp '<'
* 'Data Name="SourceHostname">' SourceHostname '<'
* 'Data Name="SourcePort">' SourcePort '<'
* 'Data Name="SourcePortName">' SourcePortName '<'
* 'Data Name="DestinationIsIpv6">' DestinationIsIpv6 '<'
* 'Data Name="DestinationIp">' DestinationIp '<'
* 'Data Name="DestinationHostname">' DestinationHostname '<'
* 'Data Name="DestinationPort">' DestinationPort '<'
* 'Data Name="DestinationPortName">' DestinationPortName '<'
*
| where ((EventID == "3" and DestinationPort == "3389") and not
(Image endswith "\\mstsc.exe"
or Image endswith "\\RTSApp.exe"
or Image endswith "\\RTS2App.exe"
or Image endswith "\\RDCMan.exe"
or Image endswith "\\ws_TunnelService.exe"
or Image endswith "\\RSSensor.exe"
or Image endswith "\\RemoteDesktopManagerFree.exe"
or Image endswith "\\RemoteDesktopManager.exe"
or Image endswith "\\RemoteDesktopManager64.exe"
or Image endswith "\\mRemoteNG.exe"
or Image endswith "\\mRemote.exe"
or Image endswith "\\Terminals.exe"
or Image endswith "\\spiceworks-finder.exe"
or Image endswith "\\FSDiscovery.exe"
or Image endswith "\\FSAssessment.exe"
or Image endswith "\\MobaRTE.exe"
or Image endswith "\\chrome.exe"))