Suspicious RDP Client Image Load

This detection identifies suspicious instances of the Remote Desktop Services ActiveX Client (mstscax.dll) being loaded from unusual or unauthorized locations on Windows systems. Attackers may leverage RDP lateral movement techniques by loading this DLL in unauthorized contexts to gain access and control over other systems within the network. The rule focuses on detecting anomalous loading patterns of mstscax.dll outside typical system paths, which can be indicative of malicious lateral movement attempts. This detection is applicable to environments using Elastic Defend and Sysmon.

Attack Chain

1. An attacker compromises a system within the network.
2. The attacker attempts to move laterally using RDP.
3. To facilitate the RDP connection, the attacker executes a process that loads the mstscax.dll.
4. The mstscax.dll is loaded from a location outside the standard system paths (e.g., not from C:\Windows\System32).
5. The system logs the image load event, capturing the process and the location from which mstscax.dll was loaded.
6. The detection rule identifies the unusual loading of mstscax.dll based on the configured criteria.
7. The attacker establishes a remote desktop session to a target system.
8. The attacker gains control over the target system, enabling further malicious activities.

Impact

A successful attack can allow unauthorized access to sensitive systems and data, leading to potential data breaches, financial losses, and reputational damage. Lateral movement via RDP can allow attackers to expand their control within the network, compromising additional systems and escalating the impact of the attack. Early detection of suspicious mstscax.dll loading can prevent further propagation of the attack.

Recommendation

• Deploy the Sigma rule Suspicious RDP Client Image Load to your SIEM and tune the process.executable exclusions for your environment to reduce false positives.
• Enable Sysmon Event ID 7 (Image Loaded) to capture the necessary data for the Sigma rule Suspicious RDP Client Image Load to function.
• Review the process executable path in alerts to determine if mstscax.dll was loaded from an unusual or unauthorized location.
• Investigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts as described in the Overview.
• Implement network segmentation to limit the ability of adversaries to move laterally within the network as described in the Overview.