RDP File Creation From Suspicious Application

    Wednesday, August 14, 2024 In: Threat Research Print

    Date: 08/14/2024

    Severity: Medium

    Summary

    "RDP File Creation From Suspicious Application" refers to a security concern where a potentially malicious application generates Remote Desktop Protocol (RDP) files. These files, which are typically used to remotely access and control computers, are created by the suspicious application to facilitate unauthorized access to systems. This could indicate a cybersecurity threat where the application is being used to set up remote access for malicious purposes, such as data theft or system compromise.

    Indicators of Compromise (IOC) List

    Image

    '\brave.exe'

    '\CCleaner Browser\Application\CCleanerBrowser.exe'

    '\chromium.exe'

    '\firefox.exe'

    '\Google\Chrome\Application\chrome.exe'

    '\iexplore.exe'

    '\microsoftedge.exe'

    '\msedge.exe'

    '\Opera.exe'

    '\Vivaldi.exe'

    '\Whale.exe'

    '\Outlook.exe'

    '\RuntimeBroker.exe'

    '\Thunderbird.exe'

    '\Discord.exe'

    '\Keybase.exe'

    '\msteams.exe'

    '\Slack.exe'

    '\teams.exe'

    TargetFilename

    '.rdp'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Sysmon") AND eventtype = "11") AND image in ("\\brave.exe","\\CCleaner Browser\\Application\\CCleanerBrowser.exe","\\chromium.exe","\\firefox.exe","\\Google\\Chrome\\Application\\chrome.exe","\\iexplore.exe","\\microsoftedge.exe","\\msedge.exe","\\Opera.exe","\\Vivaldi.exe","\\Whale.exe","\\Outlook.exe","\\RuntimeBroker.exe","\\Thunderbird.exe","\\Discord.exe","\\Keybase.exe","\\msteams.exe","\\Slack.exe","\\teams.exe") AND targetfilename = ".rdp"

    Detection Query 2

    (technologygroup = "EDR" ) AND image in ("\\brave.exe","\\CCleaner Browser\\Application\\CCleanerBrowser.exe","\\chromium.exe","\\firefox.exe","\\Google\\Chrome\\Application\\chrome.exe","\\iexplore.exe","\\microsoftedge.exe","\\msedge.exe","\\Opera.exe","\\Vivaldi.exe","\\Whale.exe","\\Outlook.exe","\\RuntimeBroker.exe","\\Thunderbird.exe","\\Discord.exe","\\Keybase.exe","\\msteams.exe","\\Slack.exe","\\teams.exe") AND targetfilename = ".rdp"

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.