Execution via TSClient Mountpoint
The rule detects execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on a target host, indicating a potential lateral movement attempt by executing malicious files from the shared mountpoint.
This detection identifies execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on a target Windows host. Adversaries may exploit the tsclient shared folder to execute malicious files and achieve lateral movement within a network. The tsclient mountpoint allows users in an RDP session to access local drives from the remote system, thus enabling attackers to transfer and execute tools or malware. This rule is designed to detect such activity by monitoring for process executions originating from the \\Device\\Mup\\tsclient\\ path. The rule leverages the Elastic Common Schema (ECS) and is compatible with various data sources, including Elastic Endpoint, Windows Security Event Logs, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike.
Attack Chain
- An attacker gains initial access to a network via compromised credentials or other means.
- The attacker establishes an RDP session to a target host within the network.
- The attacker copies a malicious executable to a drive accessible through the
tsclientmount point on the target host from the attacker's local machine (e.g.,C:\Users\<user>\malware.exe). - On the target host, the attacker navigates to the
\\Device\\Mup\\tsclient\<drive_letter>\path, where<drive_letter>corresponds to the drive shared from the RDP client (e.g.,\\Device\\Mup\\tsclient\C\Users\<user>\malware.exe). - The attacker executes the malicious executable from the
tsclientpath. - The executed malware performs malicious actions on the target host, such as reconnaissance, credential theft, or further lateral movement.
- The attacker uses the compromised host to access other systems and resources within the network.
Impact
A successful attack using this technique can lead to lateral movement within the network, potentially compromising sensitive data or critical systems. Attackers can use the compromised host as a launching point for further attacks, such as ransomware deployment or data exfiltration. The damage includes data breaches, system downtime, and financial losses.
Recommendation
- Deploy the "Execution via TSClient Mountpoint" Sigma rule to your SIEM to detect suspicious process executions originating from the
\\Device\\Mup\\tsclient\\path. - Monitor process creation events for executables running from the
\\Device\\Mup\\tsclient\\path using Windows Security Event Logs or Sysmon. - Implement network segmentation to limit RDP access to only necessary systems and users.
- Regularly review and analyze RDP logs for unauthorized access attempts.
- Use endpoint detection and response (EDR) tools to scan affected hosts and remove any malicious files or artifacts.
- Investigate any alerts generated by the Sigma rule or other security tools to identify and remediate potential lateral movement attempts.
Detection coverage 2
Execution via TSClient Mountpoint - Sysmon
highDetects execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on Windows systems using Sysmon.
Execution via TSClient Mountpoint - Security Events
highDetects execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on Windows systems using Windows Security Events (Event ID 4688).
Detection queries are available on the platform. Get full rules →