RDP (Remote Desktop Protocol) from the Internet

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2024/09/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by
 11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 13backdoor vector.
 14"""
 15false_positives = [
 16    """
 17    Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or
 18    network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some
 19    networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected
 20    expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such
 21    as remote access and support for specialized software products and servers. Such work-flows are usually known and
 22    not unexpected.
 23    """,
 24]
 25from = "now-9m"
 26index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "RDP (Remote Desktop Protocol) from the Internet"
 30references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 31risk_score = 47
 32rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 33severity = "medium"
 34tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
 35timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 36timeline_title = "Comprehensive Network Timeline"
 37timestamp_override = "event.ingested"
 38type = "query"
 39
 40query = '''
 41(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
 42  network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
 43  not source.ip:(
 44    10.0.0.0/8 or
 45    127.0.0.0/8 or
 46    169.254.0.0/16 or
 47    172.16.0.0/12 or
 48    192.0.0.0/24 or
 49    192.0.0.0/29 or
 50    192.0.0.8/32 or
 51    192.0.0.9/32 or
 52    192.0.0.10/32 or
 53    192.0.0.170/32 or
 54    192.0.0.171/32 or
 55    192.0.2.0/24 or
 56    192.31.196.0/24 or
 57    192.52.193.0/24 or
 58    192.168.0.0/16 or
 59    192.88.99.0/24 or
 60    224.0.0.0/4 or
 61    100.64.0.0/10 or
 62    192.175.48.0/24 or
 63    198.18.0.0/15 or
 64    198.51.100.0/24 or
 65    203.0.113.0/24 or
 66    240.0.0.0/4 or
 67    "::1" or
 68    "FE80::/10" or
 69    "FF00::/8"
 70  ) and
 71  destination.ip:(
 72    10.0.0.0/8 or
 73    172.16.0.0/12 or
 74    192.168.0.0/16
 75  )
 76'''
 77
 78
 79[[rule.threat]]
 80framework = "MITRE ATT&CK"
 81
 82[rule.threat.tactic]
 83id = "TA0011"
 84name = "Command and Control"
 85reference = "https://attack.mitre.org/tactics/TA0011/"
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1021"
 90name = "Remote Services"
 91reference = "https://attack.mitre.org/techniques/T1021/"
 92
 93
 94[rule.threat.tactic]
 95id = "TA0008"
 96name = "Lateral Movement"
 97reference = "https://attack.mitre.org/tactics/TA0008/"
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1190"
102name = "Exploit Public-Facing Application"
103reference = "https://attack.mitre.org/techniques/T1190/"
104
105
106[rule.threat.tactic]
107id = "TA0001"
108name = "Initial Access"
109reference = "https://attack.mitre.org/tactics/TA0001/"