Detection rules › Splunk
RDP Enabled (Windows Event Log)
Detects if RDP service has been enabled on Windows host
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Impairment | T1112 Modify Registry |
| Lateral Movement | T1021.001 Remote Services: Remote Desktop Protocol |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '1106.1171'
title: RDP Enabled
description: 'Detects if RDP service has been enabled on Windows host -- Threat Actor
Association: APT35/Phosphorus/Magic Hound, DarkSide, BlackMatter, FIN7, TA551, Wizard
Spider, Yanluowang -- Software Association: BianLian, Black Basta, Conti, Hive,
IcedID, Insekt, Lockbit, Nefilim, Ryuk Ransomware, Sodinokibi/REvil'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) ( ("reg.exe" AND TERM(add) AND TERM(fDenyTSConnections)
AND TERM(REG_DWORD) AND TERM(/d) AND TERM(0) AND TERM(Terminal) AND TERM(SERVER)
) OR ("netsh.exe" AND TERM(remote) AND TERM(desktop) AND TERM(enable=yes)) ) | table
_time, host, user process, process_name, signature_id | bin span=1s | stats values(*)
as * by _time, host '
techniques:
- defense-evasion:modify registry
- lateral-movement:remote services:remote desktop protocol
technique_id:
- T1112
- T1021.001
data_category:
- Windows event logs
references:
- https://pureinfotech.com/enable-remote-desktop-command-prompt-windows-10/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) ( ("reg.exe" AND TERM(add) AND TERM(fDenyTSConnections) AND TERM(REG_DWORD) AND TERM(/d) AND TERM(0) AND TERM(Terminal) AND TERM(SERVER) ) OR ("netsh.exe" AND TERM(remote) AND TERM(desktop) AND TERM(enable=yes)) )
Stage 2: table
| table _time, host, user process, process_name, signature_id
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | "reg.exe" |
| 1 | TERM |
| 1 | add |
| 1 | TERM |
| 1 | fDenyTSConnections |
| 1 | TERM |
| 1 | REG_DWORD |
| 1 | "/d" |
| 1 | TERM |
| 1 | 0 |
| 1 | TERM |
| 1 | Terminal |
| 1 | TERM |
| 1 | SERVER |
| 1 | "netsh.exe" |
| 1 | TERM |
| 1 | remote |
| 1 | TERM |
| 1 | desktop |
| 1 | "enable=yes" |