RDP Connection Allowed Via Netsh.EXE

Dec 21, 2023 · attack.defense_evasion attack.t1562.004 ·

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

Sigma rule (View on GitHub)

 1title: RDP Connection Allowed Via Netsh.EXE
 2id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
 3status: test
 4description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
 5references:
 6    - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
 7author: Sander Wiebing
 8date: 2020/05/23
 9modified: 2023/12/11
10tags:
11    - attack.defense_evasion
12    - attack.t1562.004
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\netsh.exe'
19        - OriginalFileName: 'netsh.exe'
20    selection_cli:
21        # Example:
22        #   Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
23        #   New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
24        CommandLine|contains|all:
25            - 'firewall '
26            - 'add '
27            - 'tcp '
28            - '3389'
29        CommandLine|contains:
30            - 'portopening'
31            - 'allow'
32    condition: all of selection_*
33falsepositives:
34    - Legitimate administration activity
35level: high

References

Sarwent Malware Continues to Evolve With Updated Command Functions - SentinelLabs

Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, with new commands and a focus on RDP.

Read More

RDP Connection Allowed Via Netsh.EXE

Sigma rule (View on GitHub)

References

Sarwent Malware Continues to Evolve With Updated Command Functions - SentinelLabs

Related rules