Query Details

Windows Workstations With RDP Enabled And Allowed Connections

Query

// Threat Hunting Query
ExposureGraphNodes
| where NodeLabel == "device"
| extend RawDataDynamic = NodeProperties.rawData
| project-away NodeProperties
| evaluate bag_unpack(RawDataDynamic)
| where deviceSubtype == "Workstation"
| where onboardingStatus == "Onboarded"
| where osDistribution == "Windows"
| extend RdpServiceStatus = parse_json(rdpStatus.serviceRunning)
| where RdpServiceStatus == true
| extend RdpallowConnections = parse_json(rdpStatus.allowConnections)
| where RdpallowConnections == true
| extend RdpServiceStartMode = parse_json(remoteServicesInfo.rdp.startMode)
| extend RdpnlaMode = parse_json(remoteServicesInfo.rdp.nlaRequired)
| project deviceName, exposureScore, osPlatformFriendlyName, osVersionFriendlyName, RdpServiceStatus, RdpallowConnections, RdpServiceStartMode, RdpnlaMode

About this query

Windows Workstations with RDP Enabled and Allowed Connections

Query Information

Category: Threat Hunting

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1021.001Remote Desktop Protocolhttps://attack.mitre.org/techniques/T1021/001

Description

This Threat Hunting Query identifies Windows workstations where the Remote Desktop Protocol (RDP) service is running and configured to allow connections. This configuration, while legitimate, can increase the attack surface if not properly secured, making these systems potential targets for remote access by adversaries.

Author <Optional>

Defender XDR

Explanation

This query is designed for threat hunting and focuses on identifying Windows workstations that have the Remote Desktop Protocol (RDP) service running and configured to allow connections. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at nodes labeled as "device" in the ExposureGraphNodes dataset.

  2. Filtering for Workstations: It filters out devices that are specifically workstations and have been onboarded into the system.

  3. Operating System: It further narrows down the results to devices running the Windows operating system.

  4. RDP Service Check: The query checks if the RDP service is running on these devices.

  5. RDP Connections Allowed: It verifies if the RDP service is configured to allow connections.

  6. Additional RDP Configuration: It retrieves additional RDP configuration details such as the service start mode and whether Network Level Authentication (NLA) is required.

  7. Output: Finally, it outputs a list of devices with relevant details like device name, exposure score, OS platform and version, and RDP configuration status.

The purpose of this query is to identify potential security risks associated with RDP being enabled on Windows workstations, as this can increase the attack surface if not properly secured.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 18, 2026

Tables

ExposureGraphNodes

Keywords

WindowsWorkstationsRDPConnectionsDeviceRemoteAccessSystemsAttackSurfaceAdversaries

Operators

//|==extendproject-awayevaluatebag_unpackwhereparse_jsonproject

MITRE Techniques

Actions

GitHub