.RDP File Created by Outlook Process

Rule Info

Name
.RDP File Created by Outlook Process
Author
Florian Roth
Description
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.
Reference
https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
Date
2024-11-01 00:00:00
Modified
2024-11-03 00:00:00
Id
f748c45a-f8d3-4e6f-b617-fe176f695b8f
Tags
attack.defense-evasion
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f748c45a-f8d3-4e6f-b617-fe176f695b8f

Rule History

Author
Title
Date
Commit
Florian Roth
Merge PR #5070 from @Neo23x0 - Update `.RDP File Created by Outlook Process`
2024-11-04
fe999a5e9
Florian Roth
Merge PR #5063 from @Neo23x0 - Add & Update rules related to the suspicious creation of ".rdp" files
2024-11-01
0cb8d0e09
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022