Sigma rules for CVE-2025-29966
7 rules · scoped to cve · back to CVE-2025-29966
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
- attack.initial-access
- attack.persistence
- attack.lateral-movement
- attack.t1133
- attack.t1136.001
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
service: terminalservices-localsessionmanager
detection:
selection:
EventID: 21
Address|contains: '16777216'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
- https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
selection_opt:
CommandLine|contains:
- ' -L '
- ' -P '
- ' -R '
- ' -pw '
- ' -ssh '
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
author: frack113
date: 2022-01-07
modified: 2024-06-04
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
selection_cli:
CommandLine|contains|windash: ' /v:'
filter_optional_wsl:
# Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- WSL (Windows Sub System For Linux)
level: medium
title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020-06-27
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4825
condition: selection
falsepositives:
- Valid user was not added to RDP group
level: medium
title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: test
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
- n/a
author: James Pemberton
date: 2020-05-22
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: ntlm
definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8001
TargetName|startswith: 'TERMSRV'
condition: selection
falsepositives:
- Host connections to valid domains, exclude these.
- Host connections not using host FQDN.
- Host connections to external legitimate domains.
level: medium
title: Potentially Suspicious Windows App Activity
id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
status: test
description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
references:
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2025-10-07
tags:
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_parent:
# GrandParentImage|endswith: '\sihost.exe'
ParentImage|contains: 'C:\Program Files\WindowsApps\'
selection_susp_img:
Image|endswith:
# You can add more LOLBINs
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_susp_cli:
# You can add more potentially suspicious keywords
CommandLine|contains:
- 'cmd /c'
- 'Invoke-'
- 'Base64'
filter_optional_terminal:
ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
ParentImage|endswith: '\WindowsTerminal.exe'
# Note: to avoid FP add the default shells and profiles that your WT integrates
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\pwsh.exe'
filter_optional_sysinternals:
ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
Image|endswith: '\cmd.exe'
condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
- Legitimate packages that make use of external binaries such as Windows Terminal
level: medium