RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Sigma rule (View on GitHub)
1title: RDP Connection Allowed Via Netsh.EXE
2id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
3status: test
4description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
5references:
6 - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
7author: Sander Wiebing
8date: 2020-05-23
9modified: 2023-12-11
10tags:
11 - attack.defense-impairment
12 - attack.t1686.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\netsh.exe'
19 - OriginalFileName: 'netsh.exe'
20 selection_cli:
21 # Example:
22 # Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
23 # New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
24 CommandLine|contains|all:
25 - 'firewall '
26 - 'add '
27 - 'tcp '
28 - '3389'
29 CommandLine|contains:
30 - 'portopening'
31 - 'allow'
32 condition: all of selection_*
33falsepositives:
34 - Legitimate administration activity
35level: high
References
Related rules
- A Rule Has Been Deleted From The Windows Firewall Exception List
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Disable Microsoft Defender Firewall via Registry
- Disable Windows Firewall by Registry
- Firewall Disabled via Netsh.EXE