Query Details

Network Shell command for firewall to allow incoming RDP connections

Netsh Command For Firewall To Allow Incoming Rdp Connections

Query

let Timeframe = 1d; // Choose the best timeframe for your investigation
let fwcommands = dynamic([@"advfirewall", @"firewall", @"add rule", @"dir=in", @"localport=3389", @"action=allow"]);
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where FileName has @"netsh.exe"
| where ProcessCommandLine has_all (fwcommands)
| where ActionType has "ProcessCreated"
| project DeviceId, DeviceName, ProcessCommandLine

About this query

Network Shell command for firewall to allow incoming RDP connections

Description

Attackers can attempt to enable RDP, including leveraging multiple living-off-the-land tools. Once RDP is enabled, it allows the attackers to use any number of dual-use tools that leverage the RDP protocol. The following query will hunt for an attempt to create a firewall rule to specifically allow all incoming RDP connections using a Network Shell (netsh) command.

References

Microsoft Defender XDR

MITRE ATT&CK Mapping

Source

  • Microsoft Defender for Endpoint

Versioning

VersionDateComments
1.026/04/2024Initial publish

Explanation

This query looks for attempts to create a firewall rule allowing incoming RDP connections using the Network Shell (netsh) command. It checks for processes involving netsh.exe and specific firewall rule commands within a specified timeframe.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: April 26, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampFileNameProcessCommandLineActionTypeDeviceIdDeviceName

Operators

wherehashas_allproject

MITRE Techniques

Actions

GitHub