{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sharprdp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend","Windows"],"_cs_severities":["high"],"_cs_tags":["lateral-movement","execution","windows","sharprdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies potential behavior associated with SharpRDP, a tool used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP), often for lateral movement. The rule focuses on detecting incoming RDP connections to a Windows host, followed by the modification of the RunMRU registry key to include commands such as \u0026ldquo;cmd.exe\u0026rdquo;, \u0026ldquo;powershell.exe\u0026rdquo;, \u0026ldquo;taskmgr.exe\u0026rdquo;, or network paths like \u0026ldquo;\\tsclient*.exe\u0026quot;. A subsequent process execution with a parent process matching one of these commands, within a short timeframe, raises suspicion. This behavior can indicate unauthorized remote command execution. This rule helps defenders identify potential lateral movement activities within their Windows environments. The references link to more information about SharpRDP and related techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes an RDP connection to a target Windows system via \u003ccode\u003esvchost.exe\u003c/code\u003e on port 3389.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the system, potentially using the Run dialog (Win+R) or similar methods.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eexplorer.exe\u003c/code\u003e modifies the \u003ccode\u003eRunMRU\u003c/code\u003e registry key, adding command strings like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003etaskmgr.exe\u003c/code\u003e, or network paths like \u003ccode\u003e\\\\\\\\tsclient\\\\*.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command or script via one of the modified \u003ccode\u003eRunMRU\u003c/code\u003e entries.\u003c/li\u003e\n\u003cli\u003eA new process is spawned with a parent process like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003etaskmgr.exe\u003c/code\u003e, or executes a file from a mapped drive using the \u003ccode\u003e\\\\\\\\tsclient\\\\*.exe\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious code or performs lateral movement activities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established RDP session for further reconnaissance or exploitation.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to gain unauthorized access to sensitive data or systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful SharpRDP attack can lead to unauthorized access to sensitive systems and data within the target network. Attackers can leverage the compromised system for lateral movement, escalating privileges, and deploying malware or ransomware. The severity of the impact depends on the attacker\u0026rsquo;s objectives and the value of the compromised assets. Successfully identifying and responding to SharpRDP activity can prevent significant data breaches and system compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the EQL rule \u0026ldquo;Potential SharpRDP Behavior\u0026rdquo; to your Elastic SIEM to detect the described behavior, tuning the \u003ccode\u003efrom\u003c/code\u003e time frame as needed for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend on all Windows endpoints to provide the necessary process, registry, and network event data for the EQL rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on the source IP address, user account, RunMRU registry modifications, and subsequent process executions.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide included in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for incoming RDP traffic (destination port 3389) from unexpected source IP addresses, as this could indicate potential SharpRDP activity.\u003c/li\u003e\n\u003cli\u003eImplement restrictions on RDP access to controlled jump hosts and limit drive redirection where it is not required, per the post-incident hardening recommendations in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T17:46:58Z","date_published":"2026-05-12T17:46:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-potential-sharprdp-behavior/","summary":"This rule detects potential SharpRDP behavior, a tool used for authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for lateral movement by identifying incoming RDP connections followed by RunMRU registry value modifications and subsequent process execution.","title":"Potential SharpRDP Behavior","url":"https://feed.craftedsignal.io/briefs/2026-05-potential-sharprdp-behavior/"}],"language":"en","title":"CraftedSignal Threat Feed — Sharprdp","version":"https://jsonfeed.org/version/1.1"}