Exposed RDP: The Misconfiguration That Still Pays Off for Attackers
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article explains that exposed Remote Desktop Protocol services continue to serve as a common initial access vector for attackers. Many organizations still leave RDP ports reachable from the public internet, making them easy targets for automated scanning and opportunistic intrusion attempts. The post highlights real-world incidents in which attackers abused open RDP access or exposed RDWeb portals to enter environments and then expand their access through lateral movement.
Investigation
The cases described include a healthcare organization with an internet-exposed RDP port, an incident involving compromise through an RDWeb portal, and an intrusion in which attackers changed firewall and registry settings to enable RDP after exploiting a vulnerable SonicWall VPN device. In these scenarios, the attackers relied on straightforward Windows commands, reverse tunneling utilities, and credential-harvesting scripts to maintain access and move deeper into the network.
Mitigation
The recommended defenses focus on eliminating unnecessary RDP exposure, placing required RDP access behind properly configured firewalls, rotating credentials after any suspected exposure, and feeding firewall and VPN logs into a SIEM for faster detection. The article also advises deploying EDR coverage and monitoring for registry changes that enable or re-enable RDP services.
Response
If suspicious RDP-related activity is detected, responders should block the offending IP address, disable the RDP service, reverse any malicious registry changes, confirm that firewall rules have not been altered, and reset affected credentials. Ongoing monitoring for repeated access attempts and validation of all configuration changes are also essential.
Attack Flow
Detections
Possible Remote Desktop Services Shadowing (via registry_event)
View
Possible Remote Desktop Services Shadowing (via process_creation)
View
Suspicious Firewall Modifications via CLI (via cmdline)
View
Detect Registry Modification to Enable RDP Connections [Windows Registry Event]
View
Detection of Exposed RDP and Firewall Rule Modification [Firewall]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Reconnaissance (T1016.001): The adversary performs a quick scan of the target subnet to identify hosts with port 3389 open, using
Test-NetConnectionin a loop. - Privilege Escalation / Firewall Manipulation (T1021.001): Having obtained local admin rights, the attacker uses
netsh.exeto add a permissive inbound firewall rule for RDP, thereby exposing the service to the internet. - Post‑creation Verification: The attacker lists firewall rules to confirm the new entry exists, then initiates an RDP session (outside the scope of this test).
- Reconnaissance (T1016.001): The adversary performs a quick scan of the target subnet to identify hosts with port 3389 open, using
-
Regression Test Script:
#--------------------------------------------------------- # Simulated Adversary Activity – RDP Exposure via netsh #--------------------------------------------------------- # 1. Scan the local /24 subnet for open RDP ports (benign recon) $subnet = "10.0.0." 1..254 | ForEach-Object { $ip = "$subnet$_" $result = Test-NetConnection -ComputerName $ip -Port 3389 -WarningAction SilentlyContinue if ($result.TcpTestSucceeded) { Write-Host "[+] RDP open on $ip" } } # 2. Add a firewall rule that allows inbound RDP from any address $ruleName = "TempAllowRDP_$(Get-Random -Maximum 10000)" $netshCmd = "advfirewall firewall add rule name=`"$ruleName`" dir=in action=allow protocol=TCP localport=3389" Write-Host "`n[+] Creating firewall rule via netsh..." Start-Process -FilePath "$env:SystemRootSystem32netsh.exe" -ArgumentList $netshCmd -Wait -NoNewWindow # 3. Verify the rule exists (optional, helps confirm telemetry) netsh advfirewall firewall show rule name=$ruleName # End of simulated attack -
Cleanup Commands:
#--------------------------------------------------------- # Remove the temporary firewall rule created during the test #--------------------------------------------------------- $rulePrefix = "TempAllowRDP_" $rules = netsh advfirewall firewall show rule name=all | Select-String -Pattern $rulePrefix | ForEach-Object { ($_ -split 's+')[0] } foreach ($r in $rules) { Write-Host "[*] Deleting rule $r" netsh advfirewall firewall delete rule name=$r }