Publicly Accessible RDP Service
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
Sigma rule (View on GitHub)
1title: Publicly Accessible RDP Service
2id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
3status: test
4description: |
5 Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
6author: Josh Brower @DefensiveDepth
7date: 2020-08-22
8modified: 2024-03-13
9tags:
10 - attack.lateral-movement
11 - attack.t1021.001
12logsource:
13 product: zeek
14 service: rdp
15detection:
16 selection:
17 id.orig_h|cidr:
18 - '::1/128' # IPv6 loopback
19 - '10.0.0.0/8'
20 - '127.0.0.0/8'
21 - '172.16.0.0/12'
22 - '192.168.0.0/16'
23 - '169.254.0.0/16'
24 - '2620:83:8000::/48'
25 - 'fc00::/7' # IPv6 private addresses
26 - 'fe80::/10' # IPv6 link-local addresses
27 # approved_rdp:
28 # dst_ip:
29 # - x.x.x.x
30 condition: not selection # and not approved_rdp
31falsepositives:
32 - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
33level: high
Related rules
- Denied Access To Remote Desktop
- Hermetic Wiper TG Process Patterns
- Outbound RDP Connections Over Non-Standard Tools
- RDP Login from Localhost
- RDP Over Reverse SSH Tunnel