Query Details

Suspicious Rdp Files In Outlook Temporary Folders

Query

// Following part reflects Windows 10 endpoints
let SuspiciousRdpFilesinOutlookWin10 = DeviceProcessEvents
| where ProcessCommandLine has @'\AppData\Local\Microsoft\' 
    and ProcessCommandLine has @'\Content.Outlook\' 
    and ProcessCommandLine has @'.rdp';
// Following part reflects Windows 11 endpoints
let SuspiciousRdpFilesinOutlookWin11 = DeviceProcessEvents
| where ProcessCommandLine has @'\AppData\Local\Microsoft\Olk\'
    and ProcessCommandLine has @'.rdp';
union SuspiciousRdpFilesinOutlookWin10,
    SuspiciousRdpFilesinOutlookWin11
| project TimeGenerated, 
    DeviceName, 
    ProcessCommandLine, 
    AccountDomain, 
    AccountName

About this query

Explanation

This query is designed to detect potentially suspicious activity related to Remote Desktop Protocol (RDP) files being created in temporary folders used by Outlook on Windows 10 and Windows 11 computers. The query is based on a threat intelligence report from Microsoft about a spear-phishing campaign by a group called Midnight Blizzard, which uses RDP files as part of their attack strategy.

Here's a simple breakdown of what the query does:

  1. Purpose: It aims to identify the creation of RDP files in specific Outlook temporary folders, which could indicate a phishing attempt.

  2. Scope: The query checks both Windows 10 and Windows 11 systems.

  3. How it works:

    • For Windows 10, it looks for RDP files in the \AppData\Local\Microsoft\Content.Outlook\ directory.
    • For Windows 11, it checks the \AppData\Local\Microsoft\Olk\ directory for RDP files.
    • It combines results from both Windows 10 and Windows 11 checks.
  4. Output: The query provides details such as the time the event was generated, the device name, the command line that was executed, and the account details (domain and name) associated with the event.

  5. Considerations: If your environment has a specific security rule enabled that blocks Office applications from creating child processes, this query might not detect any activity because users would need to save the RDP files manually before opening them.

  6. Relevance: This query is mapped to a specific MITRE ATT&CK tactic and technique related to initial access through spear-phishing attachments.

Overall, this query helps security teams monitor and potentially identify malicious activities involving RDP files that could be part of a phishing attack.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: November 4, 2024

Tables

DeviceProcessEvents

Keywords

DevicesProcessCommandLineAccountDomainNameTimeGenerated

Operators

let|wherehasunionproject

MITRE Techniques

Actions

GitHub