RDP Port Forwarding Rule Added Via Netsh.EXE

Aug 12, 2024 · attack.lateral-movement attack.defense-evasion attack.command-and-control attack.t1090 ·

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Sigma rule (View on GitHub)

 1title: RDP Port Forwarding Rule Added Via Netsh.EXE
 2id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
 3status: test
 4description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
 7author: Florian Roth (Nextron Systems), oscd.community
 8date: 2019-01-29
 9modified: 2023-02-13
10tags:
11    - attack.lateral-movement
12    - attack.defense-evasion
13    - attack.command-and-control
14    - attack.t1090
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\netsh.exe'
21        - OriginalFileName: 'netsh.exe'
22    selection_cli:
23        CommandLine|contains|all:
24            - ' i'
25            - ' p'
26            - '=3389'
27            - ' c'
28    condition: all of selection_*
29falsepositives:
30    - Legitimate administration activity
31level: high

References

Bypassing Network Restrictions Through RDP Tunneling | Mandiant | Google Cloud Blog

Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand...

Read More

RDP Port Forwarding Rule Added Via Netsh.EXE

Sigma rule (View on GitHub)

References

Bypassing Network Restrictions Through RDP Tunneling | Mandiant | Google Cloud Blog

Related rules