From b66d0e0a0d99784d9888995d8aa373d74a3accc1 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 11 Nov 2024 12:38:48 +0000
Subject: [PATCH] [New] Remote Desktop File Opened from Suspicious Path (#4251)

---
 ...itial_access_rdp_file_mail_attachment.toml | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 rules/windows/initial_access_rdp_file_mail_attachment.toml

diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml
new file mode 100644
index 00000000000..87b45b1a35b
--- /dev/null
+++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml
@@ -0,0 +1,80 @@
+[metadata]
+creation_date = "2024/11/05"
+integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
+maturity = "production"
+updated_date = "2024/11/05"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access.
+"""
+from = "now-9m"
+index = [
+    "winlogbeat-*",
+    "logs-endpoint.events.process-*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-system.security*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Remote Desktop File Opened from Suspicious Path"
+references = [
+    "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/",
+    "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+    "https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/",
+]
+risk_score = 47
+rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: System",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and  
+ process.name : "mstsc.exe" and
+ process.args : ("?:\\Users\\*\\Downloads\\*.rdp", 
+                 "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp", 
+                 "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp", 
+                 "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp", 
+                 "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp",
+                 "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.001"
+name = "Spearphishing Attachment"
+reference = "https://attack.mitre.org/techniques/T1566/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"