RDP to HTTP or HTTPS Target Ports

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1021.001` Remote Services: Remote Desktop Protocol
Command & Control	`T1572` Protocol Tunneling

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `selection`

DestinationPort: [443, 80]
Image|endswith: '\svchost.exe'
Initiated: true
SourcePort: 3389

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationPort`	eq	`443` corpus 7 (sigma 7) `80` corpus 6 (sigma 6)
`Image`	ends_with	`\svchost.exe` corpus 20 (sigma 20)
`Initiated`	eq	`true` corpus 40 (sigma 40)
`SourcePort`	eq	`3389` corpus 3 (sigma 3)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

RDP Over Reverse SSH Tunnel [sigma] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)