Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

RDP Connection Allowed Via Netsh.EXE

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sander WiebingCreated Sat May 23Updated Mon Dec 1101aeb693-138d-49d2-9403-c4f52d7d3d62windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        # Example:
        #   Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
        #   New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
        CommandLine|contains|all:
            - 'firewall '
            - 'add '
            - 'tcp '
            - '3389'
        CommandLine|contains:
            - 'portopening'
            - 'allow'
    condition: all of selection_*
False Positives

Legitimate administration activity

References
1
Resolving title…
labs.sentinelone.com
MITRE ATT&CK
Rule Metadata
Rule ID
01aeb693-138d-49d2-9403-c4f52d7d3d62
Status
test
Level
high
Type
Detection
Created
Sat May 23
Modified
Mon Dec 11
Author
Sander Wiebing
Path
rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml
Raw Tags
attack.defense-evasionattack.t1562.004
View on GitHub