Detectionhightest

Publicly Accessible RDP Service

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Josh BrowerCreated Sat Aug 22Updated Wed Mar 131fc0809e-06bf-4de3-ad52-25e5263b7623network

Log Source

Zeek (Bro)rdp

ProductZeek (Bro)← raw: zeek

Servicerdp← raw: rdp

Detection Logic

detection:
    selection:
        id.orig_h|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '2620:83:8000::/48'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    # approved_rdp:
      # dst_ip:
        # - x.x.x.x
    condition: not selection # and not approved_rdp

False Positives

Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.001 · Remote Desktop Protocol

Rule Metadata

Rule ID

1fc0809e-06bf-4de3-ad52-25e5263b7623

Status

test

Level

high

Type

Detection

Created

Sat Aug 22

Modified

Wed Mar 13

Author

Josh Brower

Path

rules/network/zeek/zeek_rdp_public_listener.yml

Raw Tags

attack.lateral-movementattack.t1021.001

View on GitHub