RDP (Remote Desktop Protocol) from the Internet

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2023/08/17"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by
 13system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 14directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 15backdoor vector.
 16"""
 17false_positives = [
 18    """
 19    Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or
 20    network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some
 21    networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected
 22    expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such
 23    as remote access and support for specialized software products and servers. Such work-flows are usually known and
 24    not unexpected.
 25    """,
 26]
 27from = "now-9m"
 28index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
 29language = "kuery"
 30license = "Elastic License v2"
 31name = "RDP (Remote Desktop Protocol) from the Internet"
 32references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 33risk_score = 47
 34rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 35severity = "medium"
 36tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
 37timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 38timeline_title = "Comprehensive Network Timeline"
 39timestamp_override = "event.ingested"
 40type = "query"
 41
 42query = '''
 43(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
 44  network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
 45  not source.ip:(
 46    10.0.0.0/8 or
 47    127.0.0.0/8 or
 48    169.254.0.0/16 or
 49    172.16.0.0/12 or
 50    192.0.0.0/24 or
 51    192.0.0.0/29 or
 52    192.0.0.8/32 or
 53    192.0.0.9/32 or
 54    192.0.0.10/32 or
 55    192.0.0.170/32 or
 56    192.0.0.171/32 or
 57    192.0.2.0/24 or
 58    192.31.196.0/24 or
 59    192.52.193.0/24 or
 60    192.168.0.0/16 or
 61    192.88.99.0/24 or
 62    224.0.0.0/4 or
 63    100.64.0.0/10 or
 64    192.175.48.0/24 or
 65    198.18.0.0/15 or
 66    198.51.100.0/24 or
 67    203.0.113.0/24 or
 68    240.0.0.0/4 or
 69    "::1" or
 70    "FE80::/10" or
 71    "FF00::/8"
 72  ) and
 73  destination.ip:(
 74    10.0.0.0/8 or
 75    172.16.0.0/12 or
 76    192.168.0.0/16
 77  )
 78'''
 79
 80
 81[[rule.threat]]
 82framework = "MITRE ATT&CK"
 83
 84[rule.threat.tactic]
 85id = "TA0011"
 86name = "Command and Control"
 87reference = "https://attack.mitre.org/tactics/TA0011/"
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1021"
 92name = "Remote Services"
 93reference = "https://attack.mitre.org/techniques/T1021/"
 94
 95
 96[rule.threat.tactic]
 97id = "TA0008"
 98name = "Lateral Movement"
 99reference = "https://attack.mitre.org/tactics/TA0008/"
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1190"
104name = "Exploit Public-Facing Application"
105reference = "https://attack.mitre.org/techniques/T1190/"
106
107
108[rule.threat.tactic]
109id = "TA0001"
110name = "Initial Access"
111reference = "https://attack.mitre.org/tactics/TA0001/"