KQL Search

Query Details

HomeAI ToolsDevice Query

Windows Workstations With RDP Enabled And Allowed Connections

Query

# *Windows Workstations with RDP Enabled and Allowed Connections*

## Query Information

### Category: Threat Hunting 

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1021.001 | Remote Desktop Protocol | https://attack.mitre.org/techniques/T1021/001 |

#### Description

This Threat Hunting Query identifies Windows workstations where the Remote Desktop Protocol (RDP) service is running and configured to allow connections. This configuration, while legitimate, can increase the attack surface if not properly secured, making these systems potential targets for remote access by adversaries.


#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

## Defender XDR
```KQL
// Threat Hunting Query
ExposureGraphNodes
| where NodeLabel == "device"
| extend RawDataDynamic = NodeProperties.rawData
| project-away NodeProperties
| evaluate bag_unpack(RawDataDynamic)
| where deviceSubtype == "Workstation"
| where onboardingStatus == "Onboarded"
| where osDistribution == "Windows"
| extend RdpServiceStatus = parse_json(rdpStatus.serviceRunning)
| where RdpServiceStatus == true
| extend RdpallowConnections = parse_json(rdpStatus.allowConnections)
| where RdpallowConnections == true
| extend RdpServiceStartMode = parse_json(remoteServicesInfo.rdp.startMode)
| extend RdpnlaMode = parse_json(remoteServicesInfo.rdp.nlaRequired)
| project deviceName, exposureScore, osPlatformFriendlyName, osVersionFriendlyName, RdpServiceStatus, RdpallowConnections, RdpServiceStartMode, RdpnlaMode

```

Explanation

This query is designed for threat hunting and focuses on identifying Windows workstations that have the Remote Desktop Protocol (RDP) service running and configured to allow connections. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at nodes labeled as "device" in the ExposureGraphNodes dataset.

  2. Filtering for Workstations: It filters out devices that are specifically workstations and have been onboarded into the system.

  3. Operating System: It further narrows down the results to devices running the Windows operating system.

  4. RDP Service Check: The query checks if the RDP service is running on these devices.

  5. RDP Connections Allowed: It verifies if the RDP service is configured to allow connections.

  6. Additional RDP Configuration: It retrieves additional RDP configuration details such as the service start mode and whether Network Level Authentication (NLA) is required.

  7. Output: Finally, it outputs a list of devices with relevant details like device name, exposure score, OS platform and version, and RDP configuration status.

The purpose of this query is to identify potential security risks associated with RDP being enabled on Windows workstations, as this can increase the attack surface if not properly secured.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 18, 2026

Tables

ExposureGraphNodes

Keywords

WindowsWorkstationsRDPConnectionsDeviceRemoteAccessSystemsAttackSurfaceAdversaries

Operators

//|==extendproject-awayevaluatebag_unpackwhereparse_jsonproject

Actions