Network Shell command for firewall to allow incoming RDP connections
Netsh Command For Firewall To Allow Incoming Rdp Connections
Query
let Timeframe = 1d; // Choose the best timeframe for your investigation
let fwcommands = dynamic([@"advfirewall", @"firewall", @"add rule", @"dir=in", @"localport=3389", @"action=allow"]);
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where FileName has @"netsh.exe"
| where ProcessCommandLine has_all (fwcommands)
| where ActionType has "ProcessCreated"
| project DeviceId, DeviceName, ProcessCommandLineAbout this query
Network Shell command for firewall to allow incoming RDP connections
Description
Attackers can attempt to enable RDP, including leveraging multiple living-off-the-land tools. Once RDP is enabled, it allows the attackers to use any number of dual-use tools that leverage the RDP protocol. The following query will hunt for an attempt to create a firewall rule to specifically allow all incoming RDP connections using a Network Shell (netsh) command.
References
Microsoft Defender XDR
MITRE ATT&CK Mapping
- Tactic: Impair Defenses
- Technique ID: T1562.004
- Impair Defenses: Disable or Modify System Firewall
Source
- Microsoft Defender for Endpoint
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 26/04/2024 | Initial publish |
Explanation
This query looks for attempts to create a firewall rule allowing incoming RDP connections using the Network Shell (netsh) command. It checks for processes involving netsh.exe and specific firewall rule commands within a specified timeframe.
