Remote Desktop Protocol - SharpRDP

Back


Id	cc46e76c-0d04-40b0-9c8b-929aa40513e7
Rulename	Remote Desktop Protocol - SharpRDP
Description	This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
Severity	Medium
Tactics	LateralMovement
Techniques	T1021.001
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml
Version	1.0.0
Arm template	cc46e76c-0d04-40b0-9c8b-929aa40513e7.json

KQL

let executions = DeviceProcessEvents
| where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here. 
// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
//| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
| where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
| where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
| where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
executions
| join kind=leftsemi  (DeviceLogonEvents
| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId

YAML

triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
tactics:
- LateralMovement
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml
queryPeriod: 1h
kind: Scheduled
relevantTechniques:
- T1021.001
name: Remote Desktop Protocol - SharpRDP
id: cc46e76c-0d04-40b0-9c8b-929aa40513e7
status: Available
description: |
    This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
severity: Medium
queryFrequency: 1h
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceLogonEvents
query: |
  let executions = DeviceProcessEvents
  | where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here. 
  // Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
  //| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
  | where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
  | where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
  | where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
  executions
  | join kind=leftsemi  (DeviceLogonEvents
  | where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId  
triggerOperator: gt

ARM