{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/remote-desktop-client/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Remote Desktop Client"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious instances of the Remote Desktop Services ActiveX Client (mstscax.dll) being loaded from unusual or unauthorized locations on Windows systems. Attackers may leverage RDP lateral movement techniques by loading this DLL in unauthorized contexts to gain access and control over other systems within the network. The rule focuses on detecting anomalous loading patterns of mstscax.dll outside typical system paths, which can be indicative of malicious lateral movement attempts. This detection is applicable to environments using Elastic Defend and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally using RDP.\u003c/li\u003e\n\u003cli\u003eTo facilitate the RDP connection, the attacker executes a process that loads the mstscax.dll.\u003c/li\u003e\n\u003cli\u003eThe mstscax.dll is loaded from a location outside the standard system paths (e.g., not from C:\\Windows\\System32).\u003c/li\u003e\n\u003cli\u003eThe system logs the image load event, capturing the process and the location from which mstscax.dll was loaded.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the unusual loading of mstscax.dll based on the configured criteria.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a remote desktop session to a target system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the target system, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can allow unauthorized access to sensitive systems and data, leading to potential data breaches, financial losses, and reputational damage. Lateral movement via RDP can allow attackers to expand their control within the network, compromising additional systems and escalating the impact of the attack. Early detection of suspicious mstscax.dll loading can prevent further propagation of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious RDP Client Image Load\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eprocess.executable\u003c/code\u003e exclusions for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) to capture the necessary data for the Sigma rule \u003ccode\u003eSuspicious RDP Client Image Load\u003c/code\u003e to function.\u003c/li\u003e\n\u003cli\u003eReview the process executable path in alerts to determine if \u003ccode\u003emstscax.dll\u003c/code\u003e was loaded from an unusual or unauthorized location.\u003c/li\u003e\n\u003cli\u003eInvestigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts as described in the Overview.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the ability of adversaries to move laterally within the network as described in the Overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-rdp-client-imageload/","summary":"The rule detects suspicious loading of the Remote Desktop Services ActiveX Client (mstscax.dll) from unusual locations, potentially indicating RDP lateral movement on Windows systems.","title":"Suspicious RDP Client Image Load","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-rdp-client-imageload/"}],"language":"en","title":"CraftedSignal Threat Feed - Remote Desktop Client","version":"https://jsonfeed.org/version/1.1"}