RDP (Remote Desktop Protocol) to the Internet
This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by
11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
13backdoor vector.
14"""
15false_positives = [
16 """
17 RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but
18 such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may
19 be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as
20 remote access and support for specialized software products and servers. Such work-flows are usually known and not
21 unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.
22 """,
23]
24from = "now-9m"
25index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "RDP (Remote Desktop Protocol) to the Internet"
29risk_score = 21
30rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5"
31severity = "low"
32tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
38 source.ip:(
39 10.0.0.0/8 or
40 172.16.0.0/12 or
41 192.168.0.0/16
42 ) and
43 not destination.ip:(
44 10.0.0.0/8 or
45 127.0.0.0/8 or
46 169.254.0.0/16 or
47 172.16.0.0/12 or
48 192.168.0.0/16 or
49 224.0.0.0/4 or
50 "::1" or
51 "FE80::/10" or
52 "FF00::/8"
53 )
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1190"
61name = "Exploit Public-Facing Application"
62reference = "https://attack.mitre.org/techniques/T1190/"
63
64
65[rule.threat.tactic]
66id = "TA0001"
67name = "Initial Access"
68reference = "https://attack.mitre.org/tactics/TA0001/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1048"
73name = "Exfiltration Over Alternative Protocol"
74reference = "https://attack.mitre.org/techniques/T1048/"
75
76
77[rule.threat.tactic]
78id = "TA0010"
79name = "Exfiltration"
80reference = "https://attack.mitre.org/tactics/TA0010/"
Related rules
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- FTP (File Transfer Protocol) Activity to the Internet
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity