Merge pull request #791 from SanWieb/master

added rule for Netsh RDP port opening
2024-11-07 09:48:58 +00:00 · 2020-05-23 16:50:31 +02:00 · 2020-05-23 16:50:31 +02:00 · 9cd9a301c2
commit 9cd9a301c2
parent ee1ca77fad d310805ed9
1 changed files with 31 additions and 0 deletions
--- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml
+++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml
@ -0,0 +1,31 @@
+title: Netsh RDP Port Opening
+id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 
+description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
+references:
+    - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
+date: 2020/05/23
+tags:
+    - attack.command_and_control
+    - attack.t1076
+status: experimental
+author: Sander Wiebing
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains|all:
+            - netsh
+            - firewall add portopening
+            - tcp 3389
+    selection2:
+        CommandLine|contains|all:
+            - netsh
+            - advfirewall firewall add rule
+            - action=allow
+            - protocol=TCP
+            - localport=3389
+    condition: 1 of them
+falsepositives:
+    - Legitimate administration
+level: high