You are looking at preliminary documentation for a future release.
Not what you want? See the
current release documentation.
Remote Desktop Enabled in Windows Firewalledit
Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
process where event.type in ("start", "process_started") and (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and process.args : ("action=allow", "enable=Yes", "enable")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Sub-technique:
- Name: Disable or Modify System Firewall
- ID: T1562.004
- Reference URL: https://attack.mitre.org/techniques/T1562/004/