Mstsc.EXE Execution With Local RDP File

    Date: 06/17/2025

    Severity: Low

    Summary

    Detects a potential Remote Desktop Protocol (RDP) connection initiated through Mstsc by leveraging a locally stored “.rdp” configuration file.

    Indicators of Compromise (IOC) List 

    Image : 

    '\mstsc.exe'

    OriginalFileName : 

    'mstsc.exe'

    CommandLine : 

    '.rdp'

    '.rdp"'

    'C:\ProgramData\Microsoft\WSL\wslg.rdp'

    ParentImage : 

    'C:\Windows\System32\lxss\wslhost.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND processname like  "mstsc.exe" and (commandline like ".rdp" or commandline like ".rdp") and parentprocessname not like  "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp"

    Detection Query : 

    (technologygroup = "EDR" ) AND processname like  "mstsc.exe" and (commandline like ".rdp" or commandline like ".rdp") and parentprocessname not like  "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp"

    Detection Query :

    ((((resourcename = "Sysmon"  AND eventtype = "1"  ) AND image like "\\mstsc.exe"  ) AND originalfilename like "mstsc.exe"  ) AND (commandline = ".rdp"  or commandline like ".rdp"  ) ) AND parentimage not like  "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp"

    Detection Query :

    ((((technologygroup = "EDR"  ) AND image like "\\mstsc.exe"  ) AND originalfilename like "mstsc.exe"  ) AND (commandline = ".rdp"  or commandline like ".rdp"  ) ) AND parentimage not like  "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml


    Tags

    SigmaMstsc.EXE

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags