Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Default RDP Port Changed to Non Standard Port

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sat Jan 01Updated Mon Mar 25509e84b9-a71a-40e0-834f-05470369bd1ewindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetObject|endswith: '\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber'
    filter_main_port:
        Details: DWORD (0x00000d3d) # 3389
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
Testing & Validation

Simulations

atomic-red-teamT1021.001
View on ART

Changing RDP Port to Non Standard Port via Powershell

GUID: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771

atomic-red-teamT1021.001
View on ART

Changing RDP Port to Non Standard Port via Command_Prompt

GUID: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
509e84b9-a71a-40e0-834f-05470369bd1e
Status
test
Level
high
Type
Detection
Created
Sat Jan 01
Modified
Mon Mar 25
Author
François Hubaut
Path
rules/windows/registry/registry_set/registry_set_change_rdp_port.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.010
View on GitHub