Merge pull request #3628 from splunk/rdp_artifacts_and_evasion

rdp_artifacts_and_evasion

Author: patel-bhavin

detections/endpoint/enable_rdp_in_other_port_number.yml

@@ -1,7 +1,7 @@
 name: Enable RDP In Other Port Number
 id: 99495452-b899-11eb-96dc-acde48001122
-version: 13
-date: '2025-07-28'
+version: 14
+date: '2025-08-07'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -59,6 +59,7 @@ tags:
   analytic_story:
   - Prohibited Traffic Allowed or Protocol Mismatch
   - Windows Registry Abuse
+  - Windows RDP Artifacts and Defense Evasion
   - Interlock Ransomware
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/remote_desktop_process_running_on_system.yml

@@ -1,18 +1,18 @@
 name: Remote Desktop Process Running On System
 id: f5939373-8054-40ad-8c64-cec478a22a4a
-version: 11
-date: '2025-05-02'
+version: 12
+date: '2025-08-07'
 author: David Dorsey, Splunk
 status: experimental
 type: Hunting
-description: The following analytic detects the execution of the remote desktop process
-  (mstsc.exe) on systems where it is not typically run. This detection leverages data
-  from Endpoint Detection and Response (EDR) agents, filtering out systems categorized
-  as common RDP sources. This activity is significant because unauthorized use of
-  mstsc.exe can indicate lateral movement or unauthorized remote access attempts.
-  If confirmed malicious, this could allow an attacker to gain remote control of a
-  system, potentially leading to data exfiltration, privilege escalation, or further
-  network compromise.
+description: The following analytic detects the execution of the remote desktop 
+  process (mstsc.exe) on systems where it is not typically run. This detection 
+  leverages data from Endpoint Detection and Response (EDR) agents, filtering 
+  out systems categorized as common RDP sources. This activity is significant 
+  because unauthorized use of mstsc.exe can indicate lateral movement or 
+  unauthorized remote access attempts. If confirmed malicious, this could allow 
+  an attacker to gain remote control of a system, potentially leading to data 
+  exfiltration, privilege escalation, or further network compromise.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -27,21 +27,24 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_path Processes.user Processes.user_id Processes.vendor_product
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)`
   | `remote_desktop_process_running_on_system_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: Remote Desktop may be used legitimately by users on the network.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: Remote Desktop may be used legitimately by users on the 
+  network.
 references: []
 tags:
   analytic_story:
   - Hidden Cobra Malware
   - Active Directory Lateral Movement
+  - Windows RDP Artifacts and Defense Evasion
   asset_type: Endpoint
   mitre_attack_id:
   - T1021.001

detections/endpoint/windows_default_rdp_file_creation.yml

@@ -0,0 +1,67 @@
+name: Windows Default RDP File Creation
+id: 00ab0805-4b0f-489f-8eda-ee3de5ed5b1c
+version: 1
+date: '2025-07-30'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: This detection monitors the creation or modification of the Default.rdp file, typically found in the user's Documents folder. This file is automatically generated or updated by the Remote Desktop Connection client (mstsc.exe) when a user initiates an RDP session. It stores connection settings such as the last-used hostname, screen size, and other preferences. The presence or update of this file strongly suggests that an RDP session has been launched from the system. Since this file is commonly overlooked, it can serve as a valuable artifact in identifying remote access activity, including potential lateral movement or attacker-controlled sessions.
+data_source:
+- Sysmon EventID 11
+search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime 
+  FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\default.rdp 
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time 
+  Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path 
+  Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product 
+  | `security_content_ctime(lastTime)` 
+  | `security_content_ctime(firstTime)` 
+  |`drop_dm_object_name(Filesystem)`
+  | `windows_default_rdp_file_creation_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition,
+  confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
+  endpoint product.
+known_false_positives: False positives will be present, filter as needed or restrict
+  to critical assets on the perimeter.
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+- https://thelocalh0st.github.io/posts/rdp/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: a file related to rdp connection named as default.rdp has been identified on $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 10
+  threat_objects: []
+tags:
+  analytic_story:
+  - Windows RDP Artifacts and Defense Evasion
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1021.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_creation/deafault_rdp_created.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_default_rdp_file_deletion.yml

@@ -0,0 +1,62 @@
+name: Windows Default Rdp File Deletion
+id: 30a334c1-f9a5-4fbd-8958-5b65a8435cb2
+version: 1
+date: '2025-07-30'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: This detection identifies the deletion of the Default.rdp file from a user’s Documents folder. This file is automatically created or updated by the Remote Desktop Connection client (mstsc.exe) whenever a user initiates an RDP session. It contains session configuration data, such as the remote hostname and display settings. While the presence of this file is normal during legitimate RDP usage, its deletion may indicate an attempt to conceal evidence of remote access activity. Threat actors and red team operators often remove Default.rdp as part of post-access cleanup to evade forensic detection. Detecting this action—especially when correlated with recent RDP activity—can help identify defense evasion techniques and uncover potentially malicious use of remote desktop connections. Monitoring for this file's deletion adds an important layer of visibility into user behavior and can serve as an early indicator of interactive attacker presence.
+data_source:
+- Sysmon EventID 23
+- Sysmon EventID 26
+search: '`sysmon` EventCode IN ("23", "26") TargetFilename = "*\\default.rdp" 
+  | stats count min(_time) as firstTime, max(_time) as lastTime 
+  by action dest dvc file_path file_hash file_name file_modify_time process_exec process_guid process_id process_name process_path signature signature_id user user_id vendor_product 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_default_rdp_file_deletion_filter`'
+how_to_implement: To successfully implement this search, you need to ingest logs that
+  include the deleted target file name, process name, and process ID from your endpoints.
+  If you are using Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.
+known_false_positives: unknown
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+- https://thelocalh0st.github.io/posts/rdp/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: a file related to rdp connection named as default.rdp has been deleted on $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 40
+  threat_objects: []
+tags:
+  analytic_story:
+  - Windows RDP Artifacts and Defense Evasion
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1070.004
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_file_deleted.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_default_rdp_file_unhidden.yml

@@ -0,0 +1,75 @@
+name: Windows Default Rdp File Unhidden
+id: f5c1f64b-db59-4913-991e-3dac8adff288
+version: 1
+date: '2025-07-30'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is initiated using mstsc.exe. The Default.rdp file stores session configuration details such as the remote host address and screen settings. Unhiding this file is uncommon in normal user behavior and may indicate that an attacker or red team operator is attempting to access or manipulate RDP connection history that was previously hidden—either by default or as part of an earlier anti-forensics effort. This activity may represent part of a broader pattern of reconnaissance or staging for credential reuse, lateral movement, or forensic analysis evasion. Monitoring for this behavior can help uncover suspicious manipulation of user artifacts and highlight interactive attacker activity on a compromised host.
+data_source:
+- Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
+  where Processes.process_name = "attrib.exe" Processes.process IN("*-s*", "*-h*") Processes.process = "*default.rdp*"
+  by Processes.action
+  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
+  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
+  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
+  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
+  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `windows_default_rdp_file_unhidden_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: unknown
+references:
+- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
+- https://thelocalh0st.github.io/posts/rdp/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A process unhiding default.rdp on $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 40
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+tags:
+  analytic_story:
+  - Windows RDP Artifacts and Defense Evasion
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1021.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog