Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article explains that exposed Remote Desktop Protocol services continue to serve as a common initial access vector for attackers. Many organizations still leave RDP ports reachable from the public internet, making them easy targets for automated scanning and opportunistic intrusion attempts. The post highlights real-world incidents in which attackers abused open RDP access or exposed RDWeb portals to enter environments and then expand their access through lateral movement.
Investigation
The cases described include a healthcare organization with an internet-exposed RDP port, an incident involving compromise through an RDWeb portal, and an intrusion in which attackers changed firewall and registry settings to enable RDP after exploiting a vulnerable SonicWall VPN device. In these scenarios, the attackers relied on straightforward Windows commands, reverse tunneling utilities, and credential-harvesting scripts to maintain access and move deeper into the network.
Mitigation
The recommended defenses focus on eliminating unnecessary RDP exposure, placing required RDP access behind properly configured firewalls, rotating credentials after any suspected exposure, and feeding firewall and VPN logs into a SIEM for faster detection. The article also advises deploying EDR coverage and monitoring for registry changes that enable or re-enable RDP services.
Response
If suspicious RDP-related activity is detected, responders should block the offending IP address, disable the RDP service, reverse any malicious registry changes, confirm that firewall rules have not been altered, and reset affected credentials. Ongoing monitoring for repeated access attempts and validation of all configuration changes are also essential.
graph TB %% Class Definitions classDef technique fill:#ffcc99 classDef action fill:#99ccff classDef tool fill:#cccccc classDef operator fill:#ff9900 %% Nodes – Techniques tech_scanning_ip[“<b>Technique</b> – <b>T1595.001</b><br/><b>Name</b>: Active Scanning: Scanning IP Blocks<br/><b>Description</b>: Adversary probes ranges of IP addresses to locate vulnerable hosts.”] class tech_scanning_ip technique tech_scanning_vuln[“<b>Technique</b> – <b>T1595.002</b><br/><b>Name</b>: Active Scanning: Vulnerability Scanning<br/><b>Description</b>: Uses automated tools to find known vulnerabilities in remote systems.”] class tech_scanning_vuln technique tech_valid_accounts[“<b>Technique</b> – <b>T1078</b><br/><b>Name</b>: Valid Accounts<br/><b>Description</b>: Use of stolen or otherwise compromised credentials to gain access.”] class tech_valid_accounts technique tech_disable_firewall[“<b>Technique</b> – <b>T1562.004</b><br/><b>Name</b>: Disable or Modify System Firewall<br/><b>Description</b>: Alters firewall configuration to allow inbound traffic such as RDP.”] class tech_disable_firewall technique tech_create_modify_process[“<b>Technique</b> – <b>T1543</b><br/><b>Name</b>: Create or Modify System Process<br/><b>Description</b>: Creates or changes system processes via registry or service configuration.”] class tech_create_modify_process technique tech_system_services[“<b>Technique</b> – <b>T1569</b><br/><b>Name</b>: System Services<br/><b>Description</b>: Manipulates services to execute malicious code or maintain persistence.”] class tech_system_services technique tech_discovery_network[“<b>Technique</b> – <b>T1049</b><br/><b>Name</b>: System Network Connections Discovery<br/><b>Description</b>: Enumerates active network connections on the compromised host.”] class tech_discovery_network technique %% Nodes – Tools / Commands tool_shodan[“<b>Tool</b> – <b>Name</b>: Shodan<br/><b>Description</b>: Internet‑wide scanning service used to discover exposed services such as RDP.”] class tool_shodan tool tool_rdp[“<b>Tool</b> – <b>Name</b>: Remote Desktop Protocol (RDP)<br/><b>Description</b>: Windows remote login service leveraged after credential theft.”] class tool_rdp tool tool_netsh[“<b>Tool</b> – <b>Name</b>: netsh<br/><b>Command</b>: netsh advfirewall add rule name=’RDP-Open’ dir=in protocol=TCP localport=3389 action=allow enable=yes”] class tool_netsh tool tool_reg[“<b>Tool</b> – <b>Name</b>: reg.exe<br/><b>Command</b>: reg add \”HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\” /v fDenyTSConnections /t REG_DWORD /d 0 /f”] class tool_reg tool tool_netstart[“<b>Tool</b> – <b>Name</b>: net start<br/><b>Command</b>: net start TermService”] class tool_netstart tool tool_adv_ip_scanner[“<b>Tool</b> – <b>Name</b>: Advanced IP Scanner<br/><b>Description</b>: GUI utility used to enumerate devices and network connections.”] class tool_adv_ip_scanner tool %% Connections – Attack Flow tech_scanning_ip –>|uses| tool_shodan tech_scanning_ip –>|leads_to| tech_scanning_vuln tech_scanning_vuln –>|leads_to| tech_valid_accounts tech_valid_accounts –>|uses| tool_rdp tool_rdp –>|enables| tech_disable_firewall tech_disable_firewall –>|uses| tool_netsh tech_disable_firewall –>|leads_to| tech_create_modify_process tech_create_modify_process –>|uses| tool_reg tech_create_modify_process –>|leads_to| tech_system_services tech_system_services –>|uses| tool_netstart tech_valid_accounts –>|reused_for| tech_valid_accounts tech_valid_accounts –>|leads_to| tech_discovery_network tech_discovery_network –>|uses| tool_adv_ip_scanner
Attack Flow
Detections
Possible Remote Desktop Services Shadowing (via registry_event)
View
Possible Remote Desktop Services Shadowing (via process_creation)
View
Suspicious Firewall Modifications via CLI (via cmdline)
View
Detect Registry Modification to Enable RDP Connections [Windows Registry Event]
View
Detection of Exposed RDP and Firewall Rule Modification [Firewall]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Reconnaissance (T1016.001): The adversary performs a quick scan of the target subnet to identify hosts with port 3389 open, using
Test-NetConnectionin a loop. - Privilege Escalation / Firewall Manipulation (T1021.001): Having obtained local admin rights, the attacker uses
netsh.exeto add a permissive inbound firewall rule for RDP, thereby exposing the service to the internet. - Post‑creation Verification: The attacker lists firewall rules to confirm the new entry exists, then initiates an RDP session (outside the scope of this test).
- Reconnaissance (T1016.001): The adversary performs a quick scan of the target subnet to identify hosts with port 3389 open, using
-
Regression Test Script:
#--------------------------------------------------------- # Simulated Adversary Activity – RDP Exposure via netsh #--------------------------------------------------------- # 1. Scan the local /24 subnet for open RDP ports (benign recon) $subnet = "10.0.0." 1..254 | ForEach-Object { $ip = "$subnet$_" $result = Test-NetConnection -ComputerName $ip -Port 3389 -WarningAction SilentlyContinue if ($result.TcpTestSucceeded) { Write-Host "[+] RDP open on $ip" } } # 2. Add a firewall rule that allows inbound RDP from any address $ruleName = "TempAllowRDP_$(Get-Random -Maximum 10000)" $netshCmd = "advfirewall firewall add rule name=`"$ruleName`" dir=in action=allow protocol=TCP localport=3389" Write-Host "`n[+] Creating firewall rule via netsh..." Start-Process -FilePath "$env:SystemRootSystem32netsh.exe" -ArgumentList $netshCmd -Wait -NoNewWindow # 3. Verify the rule exists (optional, helps confirm telemetry) netsh advfirewall firewall show rule name=$ruleName # End of simulated attack -
Cleanup Commands:
#--------------------------------------------------------- # Remove the temporary firewall rule created during the test #--------------------------------------------------------- $rulePrefix = "TempAllowRDP_" $rules = netsh advfirewall firewall show rule name=all | Select-String -Pattern $rulePrefix | ForEach-Object { ($_ -split 's+')[0] } foreach ($r in $rules) { Write-Host "[*] Deleting rule $r" netsh advfirewall firewall delete rule name=$r }