Publicly Accessible RDP Service
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
Sigma rule (View on GitHub)
1title: Publicly Accessible RDP Service
2id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
3status: test
4description: |
5 Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
6references:
7 - https://attack.mitre.org/techniques/T1021/001/
8author: Josh Brower @DefensiveDepth
9date: 2020/08/22
10modified: 2024/03/13
11tags:
12 - attack.lateral_movement
13 - attack.t1021.001
14logsource:
15 product: zeek
16 service: rdp
17detection:
18 selection:
19 id.orig_h|cidr:
20 - '::1/128' # IPv6 loopback
21 - '10.0.0.0/8'
22 - '127.0.0.0/8'
23 - '172.16.0.0/12'
24 - '192.168.0.0/16'
25 - '169.254.0.0/16'
26 - '2620:83:8000::/48'
27 - 'fc00::/7' # IPv6 private addresses
28 - 'fe80::/10' # IPv6 link-local addresses
29 # approved_rdp:
30 # dst_ip:
31 # - x.x.x.x
32 condition: not selection # and not approved_rdp
33falsepositives:
34 - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
35level: high
References
Related rules
- RDP Over Reverse SSH Tunnel
- Port Forwarding Activity Via SSH.EXE
- User Added to Remote Desktop Users Group
- Enabling RDP service via reg.exe command execution
- Outbound RDP Connections Over Non-Standard Tools