Article Banner

STOCKSTAY: Detecting Turla's Multi-Component Espionage Backdoor

STOCKSTAY is a digital spying tool built by Turla, a hacking group tied to Russian intelligence. It targets military and government organizations, and most of its attacks have focused on Ukraine during the ongoing war. Once installed, the tool quietly copies files, captures screenshots, and runs commands on a victim's computer while working hard to stay hidden from security teams.

Think of STOCKSTAY as a fake storefront that hides a spy operation in the back room. The program disguises itself as an ordinary application, such as a stock market viewer, a PDF reader, or a military pay calculator, so nothing looks out of place. It routes its secret messages through popular free hosting services, which makes its activity blend in with normal internet traffic and hard to catch.

Organizations hit by STOCKSTAY face the theft of sensitive documents, personnel records, and operational plans. The tool is built to run only inside the specific network it was made for, and it often works during regular business hours to avoid standing out. For defense and government groups, a single infection can expose confidential communications and give a foreign intelligence service a long-term window into daily operations.

Hunting Controls & Observations

Organizations can detect STOCKSTAY activity through multiple telemetry sources across endpoint, network, identity, and cloud domains:

  • Endpoint Controls: EDR/XDR platforms, Sysmon (Events 1, 3, 11, 12, 13), registry auditing for autorun keys, and file integrity monitoring on Startup folders and the %LOCALAPPDATA%\Programs\SMN\ install directory
  • Network Controls: Web proxy logs with TLS inspection, DNS query logs, and firewall/NetFlow monitoring for outbound Secure WebSocket traffic to free hosting subdomains (*.onrender.com, *.glitch.me)
  • Identity & Access Controls: Windows Security event logs (Event ID 4624 Type 10 RemoteInteractive logons), Remote Desktop authentication logs, and Group Policy change auditing
  • Cloud & Application Controls: Email gateway logs for .rdp and .hta attachments, and monitoring of third-party hosting (Render, Glitch) and GitHub for staging infrastructure

Behavioral Indicators of Attack

The following behavioral patterns characterize STOCKSTAY operations and distinguish them from legitimate activity:

  • Disguised Registry Run-Key Persistence: Creation of an autorun value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run using an innocuous name such as "MicrosoftUpdateOneDrive" that points to an executable inside %LOCALAPPDATA%\Programs\SMN\
  • Paired Startup-Folder Artifacts: Simultaneous creation of an executable and a matching .lnk shortcut (MSViewer.lnk, MSDriver.lnk, MSRender.lnk) in the user Startup directory, often written by a WinRAR path-traversal extraction
  • Windowless Processes Imitating Windows Utilities: .NET processes launched from the SMN directory with names such as MSViewer.exe, MSDriver.exe, MSRender.exe, ClientMNGR.exe, or ViewPdf.exe that run silently with no user interface
  • Inter-Process Message Passing: WM_COPYDATA messages exchanged between three related components, where a controller tasks a backdoor and results are relayed out through a separate tunneler process
  • Secure WebSocket Command and Control: Outbound WSS connections to free hosting subdomains (*.onrender.com, *.glitch.me) and lookalike domains (*.theworkpc.com), carrying base64-encoded JSON to a /ws endpoint
  • Environmentally Keyed Configuration Files: Encrypted configuration files named "fonts" or "default.conf" that only decrypt on the intended host, domain, and user, preventing execution and analysis outside the target environment
  • Business-Hours-Only Operation: Command-and-control activity constrained to weekday business hours (roughly 09:00-18:00, Monday through Friday), a scheduling guardrail designed to blend with normal user behavior
  • Malicious RDP Delivery Chain: An emailed .rdp file that, when opened, initiates an outbound Remote Desktop connection to attacker infrastructure, which then stages the STOCKSTAY downloader
  • HTA Rename-and-Download Chain: An HTA file that runs script to rename a bundled downloader to .exe and retrieve a component ZIP from a compromised WordPress or government website

MITRE Enterprise ATT&CK Tactics and Techniques

MITRE ATT&CK framework mapping for the STOCKSTAY campaign, sorted by kill chain progression:

Controls' Observables

Endpoint Controls

  • Registry autorun value under HKCU\...\CurrentVersion\Run with a Microsoft-themed name (e.g., MicrosoftUpdateOneDrive) pointing to an executable in %LOCALAPPDATA%\Programs\SMN\ (T1547.001, T1036.005) - Detection Difficulty: LOW
  • An executable and a .lnk shortcut created together in the user Startup folder (MSViewer.lnk, MSDriver.lnk, MSRender.lnk) (T1547.001) - Detection Difficulty: LOW
  • Windowless .NET processes executing from %LOCALAPPDATA%\Programs\SMN\ with names imitating Windows utilities (T1036.005) - Detection Difficulty: MEDIUM
  • Encrypted configuration files named "fonts" or "default.conf" dropped alongside the component executables (T1480.001, T1027) - Detection Difficulty: MEDIUM
  • .NET assemblies containing K1MORPHER / Squirrel3 obfuscation artifacts such as DecryptStringSimple and DecryptArraySimple (T1140) - Detection Difficulty: MEDIUM
  • MSI installations that launch a decoy URL and deploy files to %LOCALAPPDATA%\Programs\SMN\ (T1204.002) - Detection Difficulty: MEDIUM

Network Controls

  • Outbound Secure WebSocket (WSS) connections to *.onrender.com or *.glitch.me subdomains from non-browser processes (T1071.001) - Detection Difficulty: HIGH
  • DNS resolution of Render or Glitch subdomains and lookalike domains such as *.theworkpc.com (T1071.001, T1008) - Detection Difficulty: MEDIUM
  • WebSocket requests to a /ws endpoint carrying base64-encoded JSON payloads (T1071.001) - Detection Difficulty: HIGH
  • HTTP(S) downloads of ZIP or RAR payloads from compromised WordPress or government websites (T1105) - Detection Difficulty: MEDIUM
  • Outbound Remote Desktop (port 3389) to external infrastructure shortly after an emailed .rdp file is opened (T1566.001, T1021.001) - Detection Difficulty: MEDIUM

Identity & Access Controls

  • RemoteInteractive logon events (Event ID 4624, Logon Type 10) triggered by user-opened .rdp files connecting to attacker infrastructure (T1021.001) - Detection Difficulty: MEDIUM
  • Unauthorized Group Policy Object changes used to distribute STOCKSTAY alongside other Turla tooling across a domain (T1484.001) - Detection Difficulty: HIGH

Cloud & Application Controls

  • Email gateway detection of .rdp and .hta attachments or links to RAR archives (T1566.001, T1566.002) - Detection Difficulty: MEDIUM
  • Use of free application-hosting platforms (Render, Glitch) and GitHub repositories to stage MSI installers and C2 code (T1583.006) - Detection Difficulty: MEDIUM
  • Compromised legitimate websites serving ZIP or RAR payloads from unexpected upload paths (T1584.004) - Detection Difficulty: MEDIUM

Insights and Recommendation

A successful STOCKSTAY infection gives Turla remote control over the compromised host, including the ability to browse and steal files, capture screenshots, run arbitrary commands, and read or modify the registry. Because the malware encrypts its configuration to the victim's specific hostname, domain, and user, and restricts activity to weekday business hours, it is engineered to defeat sandboxes and blend into normal operations, allowing intelligence collection to continue undetected for months. For the Ukrainian military and government bodies that make up the bulk of its targets, that means exposure of operational plans, personnel data, and diplomatic communications during active conflict.

Security teams should prioritize behavioral detection over static IOC matching, because STOCKSTAY rotates its file hashes and command-and-control domains rapidly. Monitor for registry Run-key values that point to executables under %LOCALAPPDATA%\Programs\SMN\, alert on executables and .lnk files created together in the Startup folder, and inspect outbound Secure WebSocket traffic to free hosting platforms such as *.onrender.com and *.glitch.me. Given Turla's exploitation of the WinRAR path-traversal flaw CVE-2025-8088, ensure WinRAR is updated across the fleet, and block or quarantine inbound .rdp and .hta email attachments. Organizations in the defense and government sectors should treat any of these indicators as a high-priority hunt.

Source and Credits

This summary is based on research published by Google Threat Intelligence Group (GTIG), titled "STOCKSTAY Another Day: The Latest Addition to Turla's Intelligence Gathering Apparatus," authored by Jordan Jones and published on June 25, 2026. Indicators of compromise are drawn from the accompanying Google Threat Intelligence collection.

Threat Hunting IOCs & Queries

This section contains Indicators of Compromise and threat hunting queries for detecting STOCKSTAY activity and Turla tradecraft in your environment.

Known Indicators of Compromise

  • File Hashes (SHA256):
    • da8a96bc74e265f945f1cc6992c6dc0f9ea36ed1991f7b8d312db79d9bf78c40 (MARKETMAKER downloader: MicrosoftUpdateOneDrive.exe)
    • a40bf9c75d1bfa6d66f1179f2321de6589f80d3089d992797a9cb0e84f6196ce (STOCKMARKET: MSViewer.exe)
    • c905cb512018cc55512c6a22677c3d6f389c47afd54d7c85797868fc4fcb90e9 (STOCKBROKER: MSDriver.exe)
    • 667a8f568a611f2f3d84a366b7946b360e055bece9699c95aad619637ab72a38 (STOCKTRADER: MSRender.exe)
    • d3fd32f915c239872c9e7ed9408b1f36dfcef03aa68f9a396d05c437667cdb43 (STOCKBROKER + K1MORPHER: ClientMNGR2.exe)
    • 2af7b513c05e76d7da5f75bb0a223c894a706c99ef2c2ddfe4eae542f95a08e0 (STOCKMARKET: StockMarketView.exe)
    • d1e54270433a94aa3d45d888e4c62299bee3480eb2cb4a5489c7dda69d476c3e (websocket-sharp.dll, actor-compiled)
    • f04f43b6f7c2d86109c495179b497f7fb45fd95816623de1b77900f71b4f99ed (Python C2 controller: server.py)
  • C2 URLs (Secure WebSocket):
    • wss://wool-basalt-clock[.]glitch[.]me/ws
    • wss://weatherdataai[.]theworkpc[.]com/ws
    • wss://canal1zac1a[.]onrender[.]com/ws
    • wss://driverx86-adobe[.]onrender[.]com/ws
    • wss://google-ai-labs-it[.]onrender[.]com/ws
  • Compromised Staging Sites:
    • hxxps://www[.]drs[.]gov[.]ua/wp-content/themes/twentytwentyfive/docs.zip
    • hxxps://online[.]zp[.]ua/wp-content/uploads/Tools/EditorToolsPdf.zip
    • hxxps://basecon[.]com[.]ua/calculator.rar
  • Staging Infrastructure (GitHub): accounts Roberto1983-ai (repos msi_installer_test2, msi_installer_test3) and ChikenFresh (repo google-ai-labs-it)
  • Registry Key (Persistence): HKCU\Software\Microsoft\Windows\CurrentVersion\Run (value name: MicrosoftUpdateOneDrive)
  • File Paths:
    • %LOCALAPPDATA%\Programs\SMN\ (install directory)
    • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ (MSViewer.lnk, MSDriver.lnk, MSRender.lnk)
    • Config files named fonts, default.conf, and sample.conf
  • Exploited Vulnerability: CVE-2025-8088 (WinRAR path traversal)

Note: IOCs rotate frequently. Turla re-uses infrastructure across campaigns but also stands up new C2 hosts regularly, so the behavioral detection queries below provide more durable coverage than static IOC matching.

Query 1: Disguised Registry Run-Key Persistence

Query Details

  • Behavior Targeted: STOCKSTAY writes an autorun value under the HKCU Run key using an innocuous, Microsoft-themed name that points to an executable inside %LOCALAPPDATA%\Programs\SMN\. This query flags Run-key writes referencing the SMN staging path or the known value name.
  • MITRE ATT&CK: T1547.001 - Registry Run Keys / Startup Folder, T1036.005 - Match Legitimate Name or Location
  • Expected Results: Registry value-set events on the CurrentVersion\Run key whose data references the SMN directory or whose value name mimics a Microsoft update. Legitimate autorun entries rarely execute from a per-user Programs\SMN path.
  • False Positive Likelihood: LOW - The SMN install path and the specific value name are distinctive to STOCKSTAY.
  • Tuning Guidance: Broaden the path match to include other per-user AppData\Local\Programs subdirectories if hunting for related loaders. Baseline legitimate Run-key writers (installers, updaters) and exclude them by initiating process.
  • Telemetry Requirements: Sysmon Event ID 13 (RegistryValueSet) or Microsoft Defender for Endpoint DeviceRegistryEvents.
  • Detection Difficulty: EASY

Splunk SPL

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13 earliest=-30d
    TargetObject="*\\CurrentVersion\\Run\\*"
| eval susp=if(match(Details, "(?i)AppData\\\\Local\\\\Programs\\\\SMN")
    OR match(TargetObject, "(?i)MicrosoftUpdateOneDrive"), 1, 0)
| where susp=1
| stats count min(_time) as first_seen max(_time) as last_seen
    values(Details) as run_data values(Image) as writing_process by host, TargetObject
| sort - count

// TUNING: Add other AppData\Local\Programs\* subpaths to widen the hunt for related loaders
// FALSE POSITIVES: Baseline legitimate updaters that write Run keys; exclude by writing_process

Microsoft KQL (Defender for Endpoint)

DeviceRegistryEvents
| where Timestamp > ago(30d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"CurrentVersion\Run"
| where RegistryValueData has @"AppData\Local\Programs\SMN"
    or RegistryValueName in~ ("MicrosoftUpdateOneDrive", "MicrosoftUpdate")
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| order by Timestamp desc

// TUNING: Widen RegistryValueData match to other Programs subpaths to catch related loaders
// FALSE POSITIVES: Legitimate software updaters; exclude known InitiatingProcessFileName values

Query 2: Executable and Shortcut Paired in the Startup Folder

Query Details

  • Behavior Targeted: STOCKSTAY, including deliveries that abuse the WinRAR path-traversal flaw, drops both an executable and a matching .lnk shortcut into the user Startup folder. This query detects an executable and a shortcut created in the Startup directory within a short window on the same host.
  • MITRE ATT&CK: T1547.001 - Registry Run Keys / Startup Folder, T1203 - Exploitation for Client Execution
  • Expected Results: Bursts of file-create events in the Startup path containing both .lnk and .exe files. Normal software rarely writes an executable directly into the per-user Startup folder.
  • False Positive Likelihood: LOW - Executables written into the Startup folder are unusual in managed environments.
  • Tuning Guidance: Adjust the time bucket (currently 5 minutes) to widen or tighten correlation. Add known-good LNK writers to an allowlist. Include the all-users Startup path if desired.
  • Telemetry Requirements: Sysmon Event ID 11 (FileCreate) or Microsoft Defender for Endpoint DeviceFileEvents.
  • Detection Difficulty: EASY

Splunk SPL

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 earliest=-30d
    TargetFilename="*\\Start Menu\\Programs\\Startup\\*"
| eval file_ext=lower(replace(TargetFilename, ".*\\.", ""))
| where file_ext IN ("lnk", "exe")
| bin _time span=5m
| stats dc(file_ext) as type_count values(TargetFilename) as files
    values(Image) as writing_process by host, _time
| where type_count >= 2
| sort - _time

// TUNING: Adjust the 5m bucket to correlate paired drops over a wider or narrower window
// FALSE POSITIVES: Allowlist legitimate startup-item installers by writing_process

Microsoft KQL (Defender for Endpoint)

DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath has @"Start Menu\Programs\Startup"
| where FileName endswith ".lnk" or FileName endswith ".exe"
| summarize FileSet = make_set(FileName), TypeCount = dcount(tostring(FileName has ".exe")),
    FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where array_length(FileSet) >= 2
| order by LastSeen desc

// TUNING: Adjust the 5m bin to widen or tighten correlation of paired file drops
// FALSE POSITIVES: Exclude known startup-item installers via InitiatingProcessFileName

Query 3: Windowless Process Executing from the SMN Directory

Query Details

  • Behavior Targeted: STOCKSTAY components run silently from %LOCALAPPDATA%\Programs\SMN\ with filenames that imitate Windows utilities. This query surfaces process executions from that staging path or matching the known component names.
  • MITRE ATT&CK: T1036.005 - Match Legitimate Name or Location, T1204.002 - User Execution: Malicious File
  • Expected Results: Process-creation events from the SMN directory or with names such as MSViewer.exe, MSDriver.exe, and MSRender.exe. Legitimate software is not installed into a per-user Programs\SMN folder.
  • False Positive Likelihood: LOW - The SMN path is specific; the name list may need review if generic names collide with legitimate tools.
  • Tuning Guidance: Focus on the folder path for the highest fidelity. Treat the filename list as a secondary signal and validate parent process and signing status before alerting.
  • Telemetry Requirements: Sysmon Event ID 1 (Process Create) or Microsoft Defender for Endpoint DeviceProcessEvents.
  • Detection Difficulty: MODERATE

Splunk SPL

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 earliest=-30d
| eval smn_path=if(match(Image, "(?i)AppData\\\\Local\\\\Programs\\\\SMN"), 1, 0)
| eval smn_name=if(match(Image, "(?i)\\\\(MSViewer|MSDriver|MSRender|ClientMNGR2?|ViewPdf|StockMarketView|SMNet|SMEditor|ConverterDDSNet)\\.exe$"), 1, 0)
| where smn_path=1 OR smn_name=1
| stats count min(_time) as first_seen max(_time) as last_seen
    values(Image) as images values(CommandLine) as cmds by host, User, ParentImage
| sort - count

// TUNING: Prefer smn_path matches for highest fidelity; validate smn_name hits against signing/parent
// FALSE POSITIVES: Review generic component names against legitimate software before alerting

Microsoft KQL (Defender for Endpoint)

DeviceProcessEvents
| where Timestamp > ago(30d)
| where FolderPath has @"AppData\Local\Programs\SMN"
    or FileName in~ ("MSViewer.exe", "MSDriver.exe", "MSRender.exe",
        "ClientMNGR.exe", "ClientMNGR2.exe", "ViewPdf.exe",
        "StockMarketView.exe", "SMNet.exe", "SMEditor.exe", "ConverterDDSNet.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
    ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath
| order by Timestamp desc

// TUNING: The FolderPath match is highest fidelity; treat the name list as a secondary signal
// FALSE POSITIVES: Validate parent process and signature for generic names before alerting

Query 4: Secure WebSocket C2 to Free Hosting Platforms

Query Details

  • Behavior Targeted: STOCKSTAY beacons over Secure WebSocket to attacker C2 hosted on free platforms (Render, Glitch) and lookalike domains. This query surfaces DNS and proxy activity to those destinations, ideally from non-browser processes.
  • MITRE ATT&CK: T1071.001 - Application Layer Protocol: Web Protocols, T1008 - Fallback Channels
  • Expected Results: Repeated connections to *.onrender.com, *.glitch.me, or *.theworkpc.com. Legitimate use exists, so correlate with process context and beaconing regularity.
  • False Positive Likelihood: MEDIUM - Render and Glitch host legitimate applications. Focus on server processes, non-browser user agents, and periodic beaconing.
  • Tuning Guidance: Allowlist known-good Render/Glitch applications used by your organization. Layer on connection-interval analysis to isolate automated beaconing from human browsing.
  • Telemetry Requirements: DNS query logs (stream:dns), web proxy logs, or Microsoft Defender for Endpoint DeviceNetworkEvents.
  • Detection Difficulty: HARD

Splunk SPL

index=network (sourcetype="stream:dns" OR sourcetype="squid"
    OR sourcetype="zscaler" OR sourcetype="bluecoat:proxysg:access:syslog") earliest=-30d
| eval dest=coalesce(url, query, RemoteUrl)
| search dest="*onrender.com*" OR dest="*glitch.me*" OR dest="*theworkpc.com*"
| eval c2_hint=case(
    match(dest, "onrender\.com"), "RENDER_PLATFORM",
    match(dest, "glitch\.me"), "GLITCH_PLATFORM",
    match(dest, "theworkpc\.com"), "LOOKALIKE_DOMAIN",
    1=1, "OTHER")
| stats count dc(dest) as unique_dests values(dest) as destinations
    earliest(_time) as first_seen latest(_time) as last_seen by src_ip, c2_hint
| sort - count

// TUNING: Allowlist legitimate Render/Glitch apps used in your org by src_ip or destination
// FALSE POSITIVES: Layer connection-interval analysis to separate beaconing from human browsing

Microsoft KQL (Defender for Endpoint)

DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any ("onrender.com", "glitch.me", "theworkpc.com")
| extend ProcessName = tostring(split(InitiatingProcessFileName, "\\")[-1])
| where ProcessName !in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| extend C2Hint = case(
    RemoteUrl has "onrender.com", "RENDER_PLATFORM",
    RemoteUrl has "glitch.me", "GLITCH_PLATFORM",
    RemoteUrl has "theworkpc.com", "LOOKALIKE_DOMAIN",
    "OTHER")
| summarize ConnectionCount = count(), Destinations = make_set(RemoteUrl),
    FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
    by DeviceName, ProcessName, C2Hint
| order by ConnectionCount desc

// TUNING: Allowlist legitimate Render/Glitch applications by ProcessName or RemoteUrl
// FALSE POSITIVES: Prioritize server and non-browser processes with regular beaconing intervals

Query 5: Malicious RDP File Delivery Followed by Outbound RDP

Query Details

  • Behavior Targeted: One STOCKSTAY delivery chain emails a .rdp file that, when opened, initiates an outbound Remote Desktop connection to attacker infrastructure that stages the downloader. This query correlates the creation of a .rdp file with a subsequent outbound RDP connection on the same host.
  • MITRE ATT&CK: T1566.001 - Spearphishing Attachment, T1021.001 - Remote Services: Remote Desktop Protocol
  • Expected Results: A .rdp file written by a mail or browser process, followed within minutes by an outbound connection to TCP 3389. Internal help-desk workflows may resemble this and should be baselined.
  • False Positive Likelihood: MEDIUM - Legitimate RDP usage exists. Focus on outbound connections to external or unrecognized IP addresses.
  • Tuning Guidance: Restrict the RDP connection match to external or non-corporate IP ranges. Adjust the correlation window (currently 10 minutes). Filter on mail-client and browser parent processes for the .rdp file write.
  • Telemetry Requirements: Sysmon Event ID 11 (FileCreate) and Event ID 3 (Network Connection), or Microsoft Defender for Endpoint DeviceFileEvents and DeviceNetworkEvents.
  • Detection Difficulty: MODERATE

Splunk SPL

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" earliest=-30d
    ((EventCode=11 TargetFilename="*.rdp") OR (EventCode=3 DestinationPort=3389))
| transaction host maxspan=10m
    startswith=eval(EventCode==11) endswith=eval(EventCode==3)
| search TargetFilename="*.rdp" DestinationPort=3389
| table _time, host, User, TargetFilename, DestinationIp, DestinationPort, Image
| sort - _time

// TUNING: Restrict DestinationIp to external ranges; adjust the 10m maxspan window
// FALSE POSITIVES: Baseline help-desk RDP workflows; focus on unrecognized destination IPs

Microsoft KQL (Defender for Endpoint)

let rdpFiles = DeviceFileEvents
    | where Timestamp > ago(30d)
    | where FileName endswith ".rdp"
    | where InitiatingProcessFileName in~ ("outlook.exe", "winrar.exe",
        "explorer.exe", "chrome.exe", "msedge.exe")
    | project RdpFileTime = Timestamp, DeviceName, RdpFile = FileName;
let rdpConns = DeviceNetworkEvents
    | where Timestamp > ago(30d)
    | where RemotePort == 3389 and ActionType == "ConnectionSuccess"
    | project ConnTime = Timestamp, DeviceName, RemoteIP, RemotePort;
rdpFiles
| join kind=inner rdpConns on DeviceName
| where ConnTime between (RdpFileTime .. (RdpFileTime + 10m))
| project RdpFileTime, ConnTime, DeviceName, RdpFile, RemoteIP, RemotePort
| order by ConnTime desc

// TUNING: Add a filter to keep only external RemoteIP values; adjust the 10m correlation window
// FALSE POSITIVES: Baseline legitimate RDP; prioritize connections to unrecognized IPs

These queries were generated with AI assistance. Test thoroughly in your environment before production use. Validate field names against your data model and adjust thresholds based on your baseline activity levels.

Back to Hunting off the Red