Date: 06/17/2025
Severity: Low
Summary
Detects a potential Remote Desktop Protocol (RDP) connection initiated through Mstsc by leveraging a locally stored “.rdp” configuration file.
Indicators of Compromise (IOC) List
Image : | '\mstsc.exe' |
OriginalFileName : | 'mstsc.exe' |
CommandLine : | '.rdp' '.rdp"' 'C:\ProgramData\Microsoft\WSL\wslg.rdp' |
ParentImage : | 'C:\Windows\System32\lxss\wslhost.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Windows Security" AND eventtype = "4688" ) AND processname like "mstsc.exe" and (commandline like ".rdp" or commandline like ".rdp") and parentprocessname not like "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp" |
Detection Query : | (technologygroup = "EDR" ) AND processname like "mstsc.exe" and (commandline like ".rdp" or commandline like ".rdp") and parentprocessname not like "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp" |
Detection Query : | ((((resourcename = "Sysmon" AND eventtype = "1" ) AND image like "\\mstsc.exe" ) AND originalfilename like "mstsc.exe" ) AND (commandline = ".rdp" or commandline like ".rdp" ) ) AND parentimage not like "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp" |
Detection Query : | ((((technologygroup = "EDR" ) AND image like "\\mstsc.exe" ) AND originalfilename like "mstsc.exe" ) AND (commandline = ".rdp" or commandline like ".rdp" ) ) AND parentimage not like "C:\Windows\System32\lxss\wslhost.exe" and commandline not like "C:\ProgramData\Microsoft\WSL\wslg.rdp" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml