detection.wiki

Detection rules › Sigma

.RDP File Created By Uncommon Application

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\CCleaner Browser\Application\CCleanerBrowser.exe'
Image|endswith: '\Discord.exe'
Image|endswith: '\Google\Chrome\Application\chrome.exe'
Image|endswith: '\Keybase.exe'
Image|endswith: '\Opera.exe'
Image|endswith: '\Outlook.exe'
Image|endswith: '\RuntimeBroker.exe'
Image|endswith: '\Slack.exe'
Image|endswith: '\Thunderbird.exe'
Image|endswith: '\Vivaldi.exe'
Image|endswith: '\Whale.exe'
Image|endswith: '\brave.exe'
Image|endswith: '\chromium.exe'
Image|endswith: '\firefox.exe'
Image|endswith: '\iexplore.exe'
Image|endswith: '\microsoftedge.exe'
Image|endswith: '\msedge.exe'
Image|endswith: '\msteams.exe'
Image|endswith: '\olk.exe'
Image|endswith: '\teams.exe'
TargetFilename|endswith: .rdp

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \CCleaner Browser\Application\CCleanerBrowser.exe
  • \Discord.exe corpus 3 (sigma 3)
  • \Google\Chrome\Application\chrome.exe
  • \Keybase.exe
  • \Opera.exe
  • \Outlook.exe
  • \RuntimeBroker.exe corpus 4 (sigma 4)
  • \Slack.exe
  • \Thunderbird.exe
  • \Vivaldi.exe
  • \Whale.exe
  • \brave.exe corpus 20 (sigma 20)
  • \chromium.exe
  • \firefox.exe corpus 6 (sigma 6)
  • \iexplore.exe corpus 4 (sigma 4)
  • \microsoftedge.exe
  • \msedge.exe corpus 22 (sigma 22)
  • \msteams.exe corpus 3 (sigma 3)
  • \olk.exe
  • \teams.exe corpus 2 (sigma 2)
TargetFilenameends_with
  • .rdp corpus 2 (sigma 2)