Remote Desktop Enabled in Windows Firewalledit
Identifies use of the network shell utility [netsh.exe] to enable inbound Remote Desktop Protocol [RDP] connections in the Windows Firewall.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m [Date Math format, see also Additional look-back time]
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 4 [version history]
Added [Elastic Stack release]: 7.11.0
Last modified [Elastic Stack release]: 7.16.0
Rule authors: Elastic
Rule license: Elastic License v2
process where event.type in ["start", "process_started"] and
[process.name : "netsh.exe" or process.pe.original_file_name ==
"netsh.exe"] and process.args : ["localport=3389", "RemoteDesktop",
"group=\"remote desktop\""] and process.args : ["action=allow",
"enable=Yes", "enable"]
Framework: MITRE ATT&CKTM
Version 4 [7.16.0 release]Version 3 [7.12.0 release]Version 2 [7.11.2 release]