Remote Desktop firewall rules
Ngày đăng:
08/02/2022
Trả lời:
0
Lượt xem:
57
Remote Desktop Enabled in Windows FirewalleditIdentifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall. Rule type: eql Rule indices:
Severity: medium Risk score: 47 Runs every: 5 minutes Searches indices from: now-9m (Date Math format, see also Additional look-back time) Maximum alerts per execution: 100 Tags:
Version: 4 (version history) Added (Elastic Stack release): 7.11.0 Last modified (Elastic Stack release): 7.16.0 Rule authors: Elastic Rule license: Elastic License v2 process where event.type in ("start", "process_started") and
(process.name : "netsh.exe" or process.pe.original_file_name ==
"netsh.exe") and process.args : ("localport=3389", "RemoteDesktop",
"group=\"remote desktop\"") and process.args : ("action=allow",
"enable=Yes", "enable") Framework: MITRE ATT&CKTM Version 4 (7.16.0 release)Version 3 (7.12.0 release)Version 2 (7.11.2 release) |