Publicly Accessible RDP Service
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
Sigma rule (View on GitHub)
1title: Publicly Accessible RDP Service
2id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
3status: test
4description: |
5 Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
6references:
7 - https://attack.mitre.org/techniques/T1021/001/
8author: Josh Brower @DefensiveDepth
9date: 2020-08-22
10modified: 2024-03-13
11tags:
12 - attack.lateral-movement
13 - attack.t1021.001
14logsource:
15 product: zeek
16 service: rdp
17detection:
18 selection:
19 id.orig_h|cidr:
20 - '::1/128' # IPv6 loopback
21 - '10.0.0.0/8'
22 - '127.0.0.0/8'
23 - '172.16.0.0/12'
24 - '192.168.0.0/16'
25 - '169.254.0.0/16'
26 - '2620:83:8000::/48'
27 - 'fc00::/7' # IPv6 private addresses
28 - 'fe80::/10' # IPv6 link-local addresses
29 # approved_rdp:
30 # dst_ip:
31 # - x.x.x.x
32 condition: not selection # and not approved_rdp
33falsepositives:
34 - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
35level: high
References
Related rules
- Denied Access To Remote Desktop
- Hermetic Wiper TG Process Patterns
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- Outbound RDP Connections Over Non-Standard Tools
- Port Forwarding Activity Via SSH.EXE