KQL Search

Query Details

HomeAI ToolsDevice Query

Device Detect Inbound Public RDP

Query

//Detects inbound RDP network connections from  public IP addresses

//Data connector required for this query - M365 Defender - Device* tables or Advanced Hunting license

//Works in both Microsoft Sentinel and Advanced Hunting
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where LocalIPType == "Private" and RemoteIPType == "Public"
| where LocalPort == 3389 or InitiatingProcessCommandLine =~ "svchost.exe -k termsvcs -s TermService"
| project
    TimeGenerated,
    DeviceName,
    DeviceId,
    LocalIP,
    LocalPort,
    RemoteIP,
    InitiatingProcessCommandLine

Explanation

This query detects inbound Remote Desktop Protocol (RDP) network connections from public IP addresses. It requires a data connector for M365 Defender - Device* tables or an Advanced Hunting license. It can be used in both Microsoft Sentinel and Advanced Hunting. The query filters for events where the action type is "InboundConnectionAccepted" and the local IP is private while the remote IP is public. It also filters for events where the local port is 3389 or the initiating process command line contains "svchost.exe -k termsvcs -s TermService". The query projects the time generated, device name, device ID, local IP, local port, remote IP, and initiating process command line.

Details

Matt Zorich profile picture

Matt Zorich

Released: October 28, 2022

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,ActionType,LocalIPType,RemoteIPType,LocalPort,InitiatingProcessCommandLine,TimeGenerated,DeviceName,DeviceId,LocalIP,RemoteIP

Operators

| where==andor=~project

Actions