Remote Desktop Protocol - SharpRDP
Id | cc46e76c-0d04-40b0-9c8b-929aa40513e7 |
Rulename | Remote Desktop Protocol - SharpRDP |
Description | This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes. |
Severity | Medium |
Tactics | LateralMovement |
Techniques | T1021.001 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml |
Version | 1.0.0 |
Arm template | cc46e76c-0d04-40b0-9c8b-929aa40513e7.json |
let executions = DeviceProcessEvents
| where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here.
// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
//| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
| where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
| where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
| where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
executions
| join kind=leftsemi (DeviceLogonEvents
| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId
severity: Medium
triggerThreshold: 0
query: |
let executions = DeviceProcessEvents
| where InitiatingProcessFileName contains "taskmgr" and AccountName !contains "_ladm" // Include your LAPS /RID500 admin naming convention here.
// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.
//| where not(InitiatingProcessCommandLine has_any ("/1","/2","/3","/4"))
| where not(FolderPath =~ @"c:\Windows\system32\WerFault.exe" and ProcessCommandLine contains "-u -p")
| where not(FolderPath =~ @"c:\windows\system32\mmc.exe" and ProcessCommandLine contains @"C:\WINDOWS\System32\services.msc")
| where not(FolderPath =~ @"c:\windows\system32\resmon.exe");
executions
| join kind=leftsemi (DeviceLogonEvents
| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != "" and ActionType == "LogonSuccess") on DeviceId, LogonId
queryFrequency: 1h
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceLogonEvents
id: cc46e76c-0d04-40b0-9c8b-929aa40513e7
version: 1.0.0
name: Remote Desktop Protocol - SharpRDP
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml
queryPeriod: 1h
relevantTechniques:
- T1021.001
triggerOperator: gt
tactics:
- LateralMovement
description: |
This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: AccountSid
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc46e76c-0d04-40b0-9c8b-929aa40513e7')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc46e76c-0d04-40b0-9c8b-929aa40513e7')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Remote Desktop Protocol - SharpRDP",
"description": "This detection monitors for the behavior that SharpRDP exhibits on the target system. The most relevant is leveraging taskmgr.exe to gain elevated execution, which means that taskmgr.exe is creating unexpected child processes.\n",
"severity": "Medium",
"enabled": true,
"query": "let executions = DeviceProcessEvents\n| where InitiatingProcessFileName contains \"taskmgr\" and AccountName !contains \"_ladm\" // Include your LAPS /RID500 admin naming convention here. \n// Add the below filter to look for stock SharpRDP behavior. However, with minorchanges to the stock version of SharpRDP the filter below can be bypassed.\n//| where not(InitiatingProcessCommandLine has_any (\"/1\",\"/2\",\"/3\",\"/4\"))\n| where not(FolderPath =~ @\"c:\\Windows\\system32\\WerFault.exe\" and ProcessCommandLine contains \"-u -p\")\n| where not(FolderPath =~ @\"c:\\windows\\system32\\mmc.exe\" and ProcessCommandLine contains @\"C:\\WINDOWS\\System32\\services.msc\")\n| where not(FolderPath =~ @\"c:\\windows\\system32\\resmon.exe\");\nexecutions\n| join kind=leftsemi (DeviceLogonEvents\n| where LogonType in ('Unlock', 'RemoteInteractive') and not (LogonType == 'Unlock' and RemoteIP == '127.0.0.1') and RemoteIP != \"\" and ActionType == \"LogonSuccess\") on DeviceId, LogonId\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"LateralMovement"
],
"techniques": [
"T1021.001"
],
"alertRuleTemplateName": "cc46e76c-0d04-40b0-9c8b-929aa40513e7",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "AccountSid",
"identifier": "Sid"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
],
"entityType": "Process"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RemoteDesktopProtocol.yaml",
"templateVersion": "1.0.0",
"status": "Available"
}
}
]
}