RDP over Reverse SSH Tunnel WFP (5bed80b6-b3e8-428e-a3ae-d3c757589e41)

Detects svchost hosting RDP termsvcs communicating with the loopback address

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	RDP over Reverse SSH Tunnel WFP (5bed80b6-b3e8-428e-a3ae-d3c757589e41)	Sigma-Rules	1
RDP over Reverse SSH Tunnel WFP (5bed80b6-b3e8-428e-a3ae-d3c757589e41)	Sigma-Rules	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	1
RDP over Reverse SSH Tunnel WFP (5bed80b6-b3e8-428e-a3ae-d3c757589e41)	Sigma-Rules	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	2