Date: 11/05/2024
Severity: Medium
Summary
".RDP File Created by Outlook Process" refers to a situation where the Outlook email client creates a Remote Desktop Protocol (.RDP) file, which is unusual and potentially suspicious. RDP files are typically used for establishing remote connections to other systems, but when created by an email client like Outlook, it may signal malicious activity. This could indicate that an attacker has used Outlook to deliver or execute an RDP file, potentially enabling unauthorized remote access to the victim's machine. Monitoring for this behavior is important as part of detecting and mitigating cyber threats.
Indicators of Compromise (IOC) List
TargetFilename | '.rdp' '\AppData\Local\Packages\Microsoft.Outlook_' '\AppData\Local\Microsoft\Olk\Attachments\' '\AppData\Local\Microsoft\Windows\' '\Content.Outlook\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename in ("Windows Security") AND eventtype = "4663") AND objectname IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook") |
Detection Query 2 | (Technologygroup = "EDR") AND objectname IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook") |
Detection Query 3 | (resourcename in ("Sysmon") AND eventtype = "11") AND TargetFilename IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook") |
Detection Query 4 | (Technologygroup = "EDR") AND TargetFilename IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml