sigmahighHunting

RDP Connection Allowed Via Netsh.EXE

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

MITRE ATT&CK

defense-evasion

Detection Query

selection_img:
  - Image|endswith: \netsh.exe
  - OriginalFileName: netsh.exe
selection_cli:
  CommandLine|contains|all:
    - "firewall "
    - "add "
    - "tcp "
    - "3389"
  CommandLine|contains:
    - portopening
    - allow
condition: all of selection_*

Author

Sander Wiebing

Created

2020-05-23

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/

Tags

attack.defense-evasionattack.t1562.004

Raw Content

title: RDP Connection Allowed Via Netsh.EXE
id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
status: test
description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
references:
    - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
author: Sander Wiebing
date: 2020-05-23
modified: 2023-12-11
tags:
    - attack.defense-evasion
    - attack.t1562.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        # Example:
        #   Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
        #   New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
        CommandLine|contains|all:
            - 'firewall '
            - 'add '
            - 'tcp '
            - '3389'
        CommandLine|contains:
            - 'portopening'
            - 'allow'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: high