Remote Desktop Protocol - SharpRDP

Back


Id	cc46e76c-0d04-40b0-9c8b-929aa40513e7
Rulename	Remote Desktop Protocol - SharpRDP
Description	This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
Severity	Medium
Tactics	LateralMovement
Techniques	T1021.001
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml
Version	1.0.0
Arm template	cc46e76c-0d04-40b0-9c8b-929aa40513e7.json

KQL

let executions = DeviceProcessEvents
| where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here. 
// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
//| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
| where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
| where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
| where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
executions
| join kind=leftsemi  (DeviceLogonEvents
| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId

YAML

triggerOperator: gt
version: 1.0.0
query: |
  let executions = DeviceProcessEvents
  | where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here. 
  // Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
  //| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
  | where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
  | where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
  | where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
  executions
  | join kind=leftsemi  (DeviceLogonEvents
  | where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId  
status: Available
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceLogonEvents
name: Remote Desktop Protocol - SharpRDP
queryPeriod: 1h
severity: Medium
kind: Scheduled
tactics:
- LateralMovement
id: cc46e76c-0d04-40b0-9c8b-929aa40513e7
description: |
    This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
relevantTechniques:
- T1021.001
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc46e76c-0d04-40b0-9c8b-929aa40513e7')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc46e76c-0d04-40b0-9c8b-929aa40513e7')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Remote Desktop Protocol - SharpRDP",
        "description": "This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let executions = DeviceProcessEvents\n| where InitiatingProcessFileName contains \"taskmgr\" and AccountName !contains \"_ladm\" // Include your LAPS /RID500 admin naming convention here. \n// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.\n//| where not(InitiatingProcessCommandLine has_any (\"/1\",\"/2\",\"/3\",\"/4\"))\n| where not(FolderPath =~ @\"c:\\Windows\\system32\\WerFault.exe\" and ProcessCommandLine contains \"-u -p\")\n| where not(FolderPath =~ @\"c:\\windows\\system32\\mmc.exe\" and ProcessCommandLine contains @\"C:\\WINDOWS\\System32\\services.msc\")\n| where not(FolderPath =~ @\"c:\\windows\\system32\\resmon.exe\");\nexecutions\n| join kind=leftsemi  (DeviceLogonEvents\n| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != \"\" and ActionType == \"LogonSuccess\") on DeviceId, LogonId\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1021.001"
        ],
        "alertRuleTemplateName": "cc46e76c-0d04-40b0-9c8b-929aa40513e7",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ],
            "entityType": "Process"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}