Remote Desktop Protocol - SharpRDP

Back


Id	cc46e76c-0d04-40b0-9c8b-929aa40513e7
Rulename	Remote Desktop Protocol - SharpRDP
Description	This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
Severity	Medium
Tactics	LateralMovement
Techniques	T1021.001
Required data connectors	MicrosoftThreatProtection
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml
Version	1.0.0
Arm template	cc46e76c-0d04-40b0-9c8b-929aa40513e7.json

KQL

let executions = DeviceProcessEvents
| where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here. 
// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
//| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
| where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
| where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
| where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
executions
| join kind=leftsemi  (DeviceLogonEvents
| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId

YAML

severity: Medium
triggerThreshold: 0
query: |
  let executions = DeviceProcessEvents
  | where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here. 
  // Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
  //| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
  | where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
  | where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
  | where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
  executions
  | join kind=leftsemi  (DeviceLogonEvents
  | where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId  
queryFrequency: 1h
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceLogonEvents
id: cc46e76c-0d04-40b0-9c8b-929aa40513e7
version: 1.0.0
name: Remote Desktop Protocol - SharpRDP
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml
queryPeriod: 1h
relevantTechniques:
- T1021.001
triggerOperator: gt
tactics:
- LateralMovement
description: |
    This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc46e76c-0d04-40b0-9c8b-929aa40513e7')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc46e76c-0d04-40b0-9c8b-929aa40513e7')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Remote Desktop Protocol - SharpRDP",
        "description": "This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let executions = DeviceProcessEvents\n| where InitiatingProcessFileName contains \"taskmgr\" and AccountName !contains \"_ladm\" // Include your LAPS /RID500 admin naming convention here. \n// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.\n//| where not(InitiatingProcessCommandLine has_any (\"/1\",\"/2\",\"/3\",\"/4\"))\n| where not(FolderPath =~ @\"c:\\Windows\\system32\\WerFault.exe\" and ProcessCommandLine contains \"-u -p\")\n| where not(FolderPath =~ @\"c:\\windows\\system32\\mmc.exe\" and ProcessCommandLine contains @\"C:\\WINDOWS\\System32\\services.msc\")\n| where not(FolderPath =~ @\"c:\\windows\\system32\\resmon.exe\");\nexecutions\n| join kind=leftsemi  (DeviceLogonEvents\n| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != \"\" and ActionType == \"LogonSuccess\") on DeviceId, LogonId\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1021.001"
        ],
        "alertRuleTemplateName": "cc46e76c-0d04-40b0-9c8b-929aa40513e7",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ],
            "entityType": "Process"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}