RDP Connection Allowed Via Netsh.EXE
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
RDP Connection Allowed aia Netsh.EXE | Standard | Windows | Defense Evasion: Impair Defenses - Disable or Modify System Firewall (T1562.004) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Malware execution → Netsh command issued → RDP port opened → Remote access enabled → Lateral movement begins
Impact
- Unauthorized access
- Persistent backdoor
- Lateral movement
- Security bypass
Rule Requirement
Prerequisites
- Using Windows event viewer:
To enable detailed process auditing, log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or modify a GPO linked to the appropriate OU, then enable Audit Process Creation and Audit Process Termination under Detailed Tracking, selecting the "Success" option for both. For deeper visibility, enable the Include command line in process creation events policy to capture command-line details. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key to support advanced event logging.
- Using Sysmon:
Download and install Sysmon from Microsoft Sysinternals, then run it with administrator privileges using a configuration file that includes process creation monitoring. Ensure the config captures all process creation events, and create the Microsoft-Windows-Sysmon/Operational registry key if it doesn’t already exist to enable event logging. This setup helps track detailed process activity for threat detection and investigation.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\netsh.exe" OR ORIGINALFILENAME = "netsh.exe") AND ((COMMANDLINE contains "firewall " AND COMMANDLINE contains "add " AND COMMANDLINE contains "tcp " AND COMMANDLINE contains "3389") AND COMMANDLINE contains "portopening,allow") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Impair Defenses - Disable or Modify System Firewall (T1562.004)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
- NIST SP 800-53: SI-4 – System monitoring
Requires organizations to monitor systems for unauthorized changes and malicious activity.
Triggering this rule highlights potentially malicious changes to firewall settings that expose RDP, supporting real-time threat detection. - NIST SP 800-53: AU-6 – Audit review, analysis, and reporting
Mandates regular review and analysis of logs to detect security-relevant events.
Triggering this rule generates logs of suspicious RDP enablement via netsh.exe, aiding in the review of unauthorized access attempts. - NIST SP 800-53: AC-17 – Remote access
Ensures secure and controlled remote access to systems.
Triggering this rule detects unsanctioned attempts to enable remote access, helping enforce secure access policies. - NIST SP 800-53: CM-6 – Configuration settings
Mandates enforcement and monitoring of approved security settings.
Triggering this rule identifies unauthorized changes to firewall rules, signaling configuration drift or misuse. - NIST SP 800-171: 3.1.12 – Monitor and control remote access sessions
Focuses on the detection and management of remote sessions to protect sensitive systems.
Triggering this rule flags unauthorized RDP access setups, helping meet the requirement for remote session control. - NIST SP 800-53: IR-4 – Incident handling
Calls for prompt detection and response to potential incidents.
Triggering this rule serves as an early warning for potential malware-based backdoors, enabling quick containment and response.
Author
Sander Wiebing
Future actions
Known False Positives
This rule will be triggered when administrators legitimately use the netsh command to enable RDP for remote support or troubleshooting. Such authorized configuration changes can resemble malicious behavior, resulting in false positives.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Containment: Disable the newly added firewall rule and isolate the affected system to prevent unauthorized RDP access.
- Recovery: Restore the firewall configuration from a secure baseline and apply stricter controls on remote access and command-line tool usage.
Mitigation
Mitigation IDs | Mitigation Name | Description |
M1047 | Audit | Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. |
M1022 | Restrict File and Directory Permissions | Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
M1024 | Restrict Registry Permissions | Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
M1018 | User Account Management | Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
