
Summary
This detection rule identifies potential Remote Desktop Protocol (RDP) tunneling attempts that utilize Plink, a command-line interface to the PuTTY back end. The rule is designed to flag instances where Plink is invoked with specific command-line arguments indicative of tunneling, such as connections directed to port 3389, which is typically used for RDP access. The rule captures two patterns: the first involves direct RDP tunneling through a local connection (i.e., :127.0.0.1:3389), while the second pattern includes any invocation of Plink trying to connect to port 3389 or using alternative ports such as 443 and 22, which are commonly associated with secure data transmission or SSH. Due to its ability to bypass traditional security mechanisms, detecting such behavior is crucial for preventing unauthorized access and data exfiltration.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2022-08-04