title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: experimental
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
    - https://twitter.com/SBousseaden/status/1096148422984384514
author: Samir Bousseaden
date: 2019/02/16
modified: 2021/05/11
tags:
    - attack.command_and_control
    - attack.t1572
    - attack.lateral_movement
    - attack.t1021.001
    - attack.t1076  # an old one
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
    selection2:
        - DestinationIp|startswith:
            - '127.'
        - DestinationIp:
            - '::1'
    condition: selection and selection2
falsepositives:
    - unknown
level: high