Lateral Movement (TA0008)(external, opens in a new tab or window)
text code block:/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m [network where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] [registry where host.os.type == "windows" and event.type == "change" and process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] [process where host.os.type == "windows" and event.type == "start" and (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ]
Install detection rules in Elastic Security
Detect Potential SharpRDP Behavior in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).