.RDP File Created by Outlook Process

    Date: 11/05/2024

    Severity: Medium

    Summary

    ".RDP File Created by Outlook Process" refers to a situation where the Outlook email client creates a Remote Desktop Protocol (.RDP) file, which is unusual and potentially suspicious. RDP files are typically used for establishing remote connections to other systems, but when created by an email client like Outlook, it may signal malicious activity. This could indicate that an attacker has used Outlook to deliver or execute an RDP file, potentially enabling unauthorized remote access to the victim's machine. Monitoring for this behavior is important as part of detecting and mitigating cyber threats.

    Indicators of Compromise (IOC) List

    TargetFilename

    '.rdp'

    '\AppData\Local\Packages\Microsoft.Outlook_'

    '\AppData\Local\Microsoft\Olk\Attachments\'

    '\AppData\Local\Microsoft\Windows\'

    '\Content.Outlook\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Windows Security") AND eventtype = "4663") AND objectname IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook")

    Detection Query 2

    (Technologygroup = "EDR") AND objectname IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook")

    Detection Query 3

    (resourcename in ("Sysmon") AND eventtype = "11") AND TargetFilename IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook")

    Detection Query 4

    (Technologygroup = "EDR") AND TargetFilename IN (".rdp","\AppData\Local\Packages\Microsoft.Outlook_","\AppData\Local\Microsoft\Olk\Attachments","\AppData\Local\Microsoft\Windows","\Content.Outlook")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_office_outlook_rdp_file_creation.yml   


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags