RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Sigma rule (View on GitHub)
1title: RDP Connection Allowed Via Netsh.EXE
2id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
3status: test
4description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
5references:
6 - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
7author: Sander Wiebing
8date: 2020/05/23
9modified: 2023/12/11
10tags:
11 - attack.defense_evasion
12 - attack.t1562.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\netsh.exe'
19 - OriginalFileName: 'netsh.exe'
20 selection_cli:
21 # Example:
22 # Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
23 # New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
24 CommandLine|contains|all:
25 - 'firewall '
26 - 'add '
27 - 'tcp '
28 - '3389'
29 CommandLine|contains:
30 - 'portopening'
31 - 'allow'
32 condition: all of selection_*
33falsepositives:
34 - Legitimate administration activity
35level: high
References
Related rules
- New Firewall Rule Added Via Netsh.EXE
- Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- Flush Iptables Ufw Chain
- The Windows Defender Firewall Service Failed To Load Group Policy
- Ufw Force Stop Using Ufw-Init