RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Sigma rule (View on GitHub)
1title: RDP Connection Allowed Via Netsh.EXE
2id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
3status: test
4description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
5references:
6 - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
7author: Sander Wiebing
8date: 2020-05-23
9modified: 2023-12-11
10tags:
11 - attack.defense-evasion
12 - attack.t1562.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\netsh.exe'
19 - OriginalFileName: 'netsh.exe'
20 selection_cli:
21 # Example:
22 # Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
23 # New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
24 CommandLine|contains|all:
25 - 'firewall '
26 - 'add '
27 - 'tcp '
28 - '3389'
29 CommandLine|contains:
30 - 'portopening'
31 - 'allow'
32 condition: all of selection_*
33falsepositives:
34 - Legitimate administration activity
35level: high
References
-
Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, with new commands and a focus on RDP.
Read More
Related rules
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry