Query Details
Suspicious Rdp Files In Outlook Temporary Folders
Query
# Suspicious rdp files in Outlook temporary folders
### Description
This query is a hunting opportunity following Microsoft's threat intelligence report on Midnight Blizzard spear-phishing campaigns using RDP files. This query will identify *.rdp file creation in Outlook's temporary folders and covers both Windows 10 and Windows 11 OS endpoints.
### References
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
- https://x.com/cyb3rops/status/1851880158640099675
### Microsoft Sentinel & Microsoft Defender XDR
```
// Following part reflects Windows 10 endpoints
let SuspiciousRdpFilesinOutlookWin10 = DeviceProcessEvents
| where ProcessCommandLine has @'\AppData\Local\Microsoft\'
and ProcessCommandLine has @'\Content.Outlook\'
and ProcessCommandLine has @'.rdp';
// Following part reflects Windows 11 endpoints
let SuspiciousRdpFilesinOutlookWin11 = DeviceProcessEvents
| where ProcessCommandLine has @'\AppData\Local\Microsoft\Olk\'
and ProcessCommandLine has @'.rdp';
union SuspiciousRdpFilesinOutlookWin10,
SuspiciousRdpFilesinOutlookWin11
| project TimeGenerated,
DeviceName,
ProcessCommandLine,
AccountDomain,
AccountName
```
### MITRE ATT&CK Mapping
- Tactic: Initial Access
- Technique ID: T1566.001
- [UPhishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)
### Source
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ----------------------------------|
| 1.0 | 03/11/2024 | Initial publish |
Explanation
This query is designed to help identify potentially suspicious activity related to spear-phishing campaigns that use RDP (Remote Desktop Protocol) files. Specifically, it looks for the creation of RDP files in temporary folders used by Microsoft Outlook on Windows 10 and Windows 11 systems. The query checks for RDP file paths within specific directories associated with Outlook's temporary storage areas.
Here's a simple breakdown of what the query does:
-
Purpose: It aims to detect suspicious RDP files that might be part of a phishing attack, as reported by Microsoft's threat intelligence.
-
Targets: The query focuses on Windows 10 and Windows 11 endpoints.
-
Process:
- For Windows 10, it searches for RDP files in paths containing
\AppData\Local\Microsoft\and\Content.Outlook\. - For Windows 11, it looks for RDP files in paths containing
\AppData\Local\Microsoft\Olk\.
- For Windows 10, it searches for RDP files in paths containing
-
Output: It provides details such as the time the file was generated, the device name, the command line that executed the process, and the account domain and name associated with the activity.
-
Security Context: This query is mapped to the MITRE ATT&CK framework under the tactic "Initial Access" and technique "Spearphishing Attachment" (T1566.001), indicating its relevance in identifying initial access vectors used by attackers.
Overall, this query is a proactive measure to hunt for and potentially mitigate threats from spear-phishing campaigns that exploit RDP files.
Details
Michalis Michalos
Released: November 3, 2024
Tables
Keywords
Operators