Publicly Accessible RDP Service

calendar Mar 13, 2024 · attack.lateral_movement attack.t1021.001  ·
Share on: linkedin copy

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Sigma rule (View on GitHub)

 1title: Publicly Accessible RDP Service
 2id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
 3status: test
 4description: |
 5        Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
 6references:
 7    - https://attack.mitre.org/techniques/T1021/001/
 8author: Josh Brower @DefensiveDepth
 9date: 2020/08/22
10modified: 2024/03/13
11tags:
12    - attack.lateral_movement
13    - attack.t1021.001
14logsource:
15    product: zeek
16    service: rdp
17detection:
18    selection:
19        id.orig_h|cidr:
20            - '::1/128'  # IPv6 loopback
21            - '10.0.0.0/8'
22            - '127.0.0.0/8'
23            - '172.16.0.0/12'
24            - '192.168.0.0/16'
25            - '169.254.0.0/16'
26            - '2620:83:8000::/48'
27            - 'fc00::/7'  # IPv6 private addresses
28            - 'fe80::/10'  # IPv6 link-local addresses
29    # approved_rdp:
30      # dst_ip:
31        # - x.x.x.x
32    condition: not selection # and not approved_rdp
33falsepositives:
34    - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
35level: high

References

Related rules

to-top