SigmaHQ/rules/windows/builtin/win_rdp_reverse_tunnel.yml

title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: experimental
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
    - https://twitter.com/SBousseaden/status/1096148422984384514
    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019/02/16
modified: 2020/08/23
tags:
    - attack.defense_evasion
    - attack.command_and_control
    - attack.lateral_movement
    - attack.t1076          # an old one
    - attack.t1090          # an old one
    - attack.t1090.001
    - attack.t1090.002
    - attack.t1021.001
    - car.2013-07-002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
    sourceRDP:
        SourcePort: 3389
        DestinationAddress:
            - '127.*'
            - '::1'
    destinationRDP:
        DestinationPort: 3389
        SourceAddress:
            - '127.*'
            - '::1'
    condition: selection and ( sourceRDP or destinationRDP )
falsepositives:
    - unknown
level: high
Rule: RDP over Reverse SSH Tunnel 2019-02-16 18:36:01 +00:00			`title: RDP over Reverse SSH Tunnel WFP`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41`
Rule: RDP over Reverse SSH Tunnel 2019-02-16 18:36:01 +00:00			`status: experimental`
Update win_rdp_reverse_tunnel.yml With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general. Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden 2019-10-29 09:25:37 +00:00			`description: Detects svchost hosting RDP termsvcs communicating with the loopback address`
Rule: RDP over Reverse SSH Tunnel 2019-02-16 18:36:01 +00:00			`references:`
			`- https://twitter.com/SBousseaden/status/1096148422984384514`
Update win_rdp_reverse_tunnel.yml With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general. Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden 2019-10-29 09:25:37 +00:00			`- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx`
Rule: RDP over Reverse SSH Tunnel 2019-02-16 18:36:01 +00:00			`author: Samir Bousseaden`
			`date: 2019/02/16`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`modified: 2020/08/23`
Rule: RDP over Reverse SSH Tunnel 2019-02-16 18:36:01 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.command_and_control`
Fixed tagging 2020-02-20 22:44:19 +00:00			`- attack.lateral_movement`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1076 # an old one`
			`- attack.t1090 # an old one`
			`- attack.t1090.001`
			`- attack.t1090.002`
			`- attack.t1021.001`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-07-002`
Rule: RDP over Reverse SSH Tunnel 2019-02-16 18:36:01 +00:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 5156`
			`sourceRDP:`
			`SourcePort: 3389`
			`DestinationAddress:`
			`- '127.*'`
			`- '::1'`
			`destinationRDP:`
			`DestinationPort: 3389`
			`SourceAddress:`
			`- '127.*'`
			`- '::1'`
			`condition: selection and ( sourceRDP or destinationRDP )`
			`falsepositives:`
			`- unknown`
			`level: high`