RDP (Remote Desktop Protocol) from the Internet

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by
 11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 13backdoor vector.
 14"""
 15false_positives = [
 16    """
 17    Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or
 18    network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some
 19    networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected
 20    expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such
 21    as remote access and support for specialized software products and servers. Such work-flows are usually known and
 22    not unexpected.
 23    """,
 24]
 25from = "now-9m"
 26index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "RDP (Remote Desktop Protocol) from the Internet"
 30references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 31risk_score = 47
 32rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 33severity = "medium"
 34tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
 35timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 36timeline_title = "Comprehensive Network Timeline"
 37timestamp_override = "event.ingested"
 38type = "query"
 39
 40query = '''
 41(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
 42  network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
 43  not source.ip:(
 44    10.0.0.0/8 or
 45    127.0.0.0/8 or
 46    169.254.0.0/16 or
 47    172.16.0.0/12 or
 48    192.0.0.0/24 or
 49    192.0.0.0/29 or
 50    192.0.0.8/32 or
 51    192.0.0.9/32 or
 52    192.0.0.10/32 or
 53    192.0.0.170/32 or
 54    192.0.0.171/32 or
 55    192.0.2.0/24 or
 56    192.31.196.0/24 or
 57    192.52.193.0/24 or
 58    192.168.0.0/16 or
 59    192.88.99.0/24 or
 60    224.0.0.0/4 or
 61    100.64.0.0/10 or
 62    192.175.48.0/24 or
 63    198.18.0.0/15 or
 64    198.51.100.0/24 or
 65    203.0.113.0/24 or
 66    240.0.0.0/4 or
 67    "::1" or
 68    "FE80::/10" or
 69    "FF00::/8"
 70  ) and
 71  destination.ip:(
 72    10.0.0.0/8 or
 73    172.16.0.0/12 or
 74    192.168.0.0/16
 75  )
 76'''
 77note = """## Triage and analysis
 78
 79> **Disclaimer**:
 80> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 81
 82### Investigating RDP (Remote Desktop Protocol) from the Internet
 83
 84RDP allows administrators to remotely manage systems, but exposing it to the internet poses security risks. Adversaries exploit RDP for unauthorized access, often using it as an entry point for attacks. The detection rule identifies suspicious RDP traffic by monitoring TCP connections on port 3389 from external IPs, flagging potential threats for further investigation.
 85
 86### Possible investigation steps
 87
 88- Review the source IP address flagged in the alert to determine if it is known or associated with any previous malicious activity. Check threat intelligence sources for any reported malicious behavior.
 89- Analyze the destination IP address to confirm it belongs to your internal network (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and identify the specific system targeted by the RDP connection.
 90- Examine network logs for any unusual or unexpected RDP traffic patterns from the source IP, such as repeated connection attempts or connections at odd hours, which may indicate brute force attempts or unauthorized access.
 91- Check for any recent changes or updates to firewall rules or security policies that might have inadvertently exposed RDP to the internet.
 92- Investigate the user accounts involved in the RDP session to ensure they are legitimate and have not been compromised. Look for any signs of unauthorized access or privilege escalation.
 93- Correlate the RDP traffic with other security events or alerts to identify any potential lateral movement or further malicious activity within the network.
 94
 95### False positive analysis
 96
 97- Internal testing or maintenance activities may trigger the rule if RDP is temporarily exposed to the internet. To manage this, create exceptions for known internal IP addresses or scheduled maintenance windows.
 98- Legitimate third-party vendors or partners accessing systems via RDP for support purposes can be mistaken for threats. Establish a list of trusted external IP addresses and exclude them from the rule.
 99- Misconfigured network devices or security tools might inadvertently expose RDP to the internet, leading to false positives. Regularly audit network configurations and update the rule to exclude known benign sources.
100- Cloud-based services or remote work solutions that use RDP over the internet can be flagged. Identify and whitelist these services' IP ranges to prevent unnecessary alerts.
101
102### Response and remediation
103
104- Immediately block the external IP address identified in the alert from accessing the network to prevent further unauthorized RDP connections.
105- Isolate the affected system from the network to contain any potential compromise and prevent lateral movement by the threat actor.
106- Conduct a thorough review of the affected system for signs of compromise, such as unauthorized user accounts, changes in system configurations, or the presence of malware.
107- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
108- Apply security patches and updates to the affected system and any other systems with RDP enabled to mitigate known vulnerabilities.
109- Implement network segmentation to restrict RDP access to only trusted internal IP addresses and consider using a VPN for secure remote access.
110- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
111
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115
116[rule.threat.tactic]
117id = "TA0011"
118name = "Command and Control"
119reference = "https://attack.mitre.org/tactics/TA0011/"
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1021"
124name = "Remote Services"
125reference = "https://attack.mitre.org/techniques/T1021/"
126
127
128[rule.threat.tactic]
129id = "TA0008"
130name = "Lateral Movement"
131reference = "https://attack.mitre.org/tactics/TA0008/"
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134[[rule.threat.technique]]
135id = "T1190"
136name = "Exploit Public-Facing Application"
137reference = "https://attack.mitre.org/techniques/T1190/"
138
139
140[rule.threat.tactic]
141id = "TA0001"
142name = "Initial Access"
143reference = "https://attack.mitre.org/tactics/TA0001/"