RDP Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Sigma rule (View on GitHub)
1title: RDP Port Forwarding Rule Added Via Netsh.EXE
2id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
3status: test
4description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
5references:
6 - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
7author: Florian Roth (Nextron Systems), oscd.community
8date: 2019/01/29
9modified: 2023/02/13
10tags:
11 - attack.lateral_movement
12 - attack.defense_evasion
13 - attack.command_and_control
14 - attack.t1090
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\netsh.exe'
21 - OriginalFileName: 'netsh.exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - ' i'
25 - ' p'
26 - '=3389'
27 - ' c'
28 condition: all of selection_*
29falsepositives:
30 - Legitimate administration activity
31level: high
References
-
Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand...
Read More
Related rules
- Suspicious Plink Port Forwarding
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension
- File Creation by Process with Double File Extension
- Network Connection From Process with Double File Extension