RDP (Remote Desktop Protocol) from the Internet
This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by
13system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
14directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
15backdoor vector.
16"""
17false_positives = [
18 """
19 Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or
20 network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some
21 networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected
22 expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such
23 as remote access and support for specialized software products and servers. Such work-flows are usually known and
24 not unexpected.
25 """,
26]
27from = "now-9m"
28index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
29language = "kuery"
30license = "Elastic License v2"
31name = "RDP (Remote Desktop Protocol) from the Internet"
32references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
33risk_score = 47
34rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
35severity = "medium"
36tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
37timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
38timeline_title = "Comprehensive Network Timeline"
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
44 network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
45 not source.ip:(
46 10.0.0.0/8 or
47 127.0.0.0/8 or
48 169.254.0.0/16 or
49 172.16.0.0/12 or
50 192.0.0.0/24 or
51 192.0.0.0/29 or
52 192.0.0.8/32 or
53 192.0.0.9/32 or
54 192.0.0.10/32 or
55 192.0.0.170/32 or
56 192.0.0.171/32 or
57 192.0.2.0/24 or
58 192.31.196.0/24 or
59 192.52.193.0/24 or
60 192.168.0.0/16 or
61 192.88.99.0/24 or
62 224.0.0.0/4 or
63 100.64.0.0/10 or
64 192.175.48.0/24 or
65 198.18.0.0/15 or
66 198.51.100.0/24 or
67 203.0.113.0/24 or
68 240.0.0.0/4 or
69 "::1" or
70 "FE80::/10" or
71 "FF00::/8"
72 ) and
73 destination.ip:(
74 10.0.0.0/8 or
75 172.16.0.0/12 or
76 192.168.0.0/16
77 )
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83
84[rule.threat.tactic]
85id = "TA0011"
86name = "Command and Control"
87reference = "https://attack.mitre.org/tactics/TA0011/"
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1021"
92name = "Remote Services"
93reference = "https://attack.mitre.org/techniques/T1021/"
94
95
96[rule.threat.tactic]
97id = "TA0008"
98name = "Lateral Movement"
99reference = "https://attack.mitre.org/tactics/TA0008/"
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1190"
104name = "Exploit Public-Facing Application"
105reference = "https://attack.mitre.org/techniques/T1190/"
106
107
108[rule.threat.tactic]
109id = "TA0001"
110name = "Initial Access"
111reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Accepted Default Telnet Port Connection
- Cobalt Strike Command and Control Beacon
- Default Cobalt Strike Team Server Certificate
- Halfbaked Command and Control Beacon
- IPSEC NAT Traversal Port Activity