Windows Workstations With RDP Enabled And Allowed Connections
Query
// Threat Hunting Query
ExposureGraphNodes
| where NodeLabel == "device"
| extend RawDataDynamic = NodeProperties.rawData
| project-away NodeProperties
| evaluate bag_unpack(RawDataDynamic)
| where deviceSubtype == "Workstation"
| where onboardingStatus == "Onboarded"
| where osDistribution == "Windows"
| extend RdpServiceStatus = parse_json(rdpStatus.serviceRunning)
| where RdpServiceStatus == true
| extend RdpallowConnections = parse_json(rdpStatus.allowConnections)
| where RdpallowConnections == true
| extend RdpServiceStartMode = parse_json(remoteServicesInfo.rdp.startMode)
| extend RdpnlaMode = parse_json(remoteServicesInfo.rdp.nlaRequired)
| project deviceName, exposureScore, osPlatformFriendlyName, osVersionFriendlyName, RdpServiceStatus, RdpallowConnections, RdpServiceStartMode, RdpnlaModeAbout this query
Windows Workstations with RDP Enabled and Allowed Connections
Query Information
Category: Threat Hunting
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1021.001 | Remote Desktop Protocol | https://attack.mitre.org/techniques/T1021/001 |
Description
This Threat Hunting Query identifies Windows workstations where the Remote Desktop Protocol (RDP) service is running and configured to allow connections. This configuration, while legitimate, can increase the attack surface if not properly secured, making these systems potential targets for remote access by adversaries.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
Defender XDR
Explanation
This query is designed for threat hunting and focuses on identifying Windows workstations that have the Remote Desktop Protocol (RDP) service running and configured to allow connections. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by looking at nodes labeled as "device" in the
ExposureGraphNodesdataset. -
Filtering for Workstations: It filters out devices that are specifically workstations and have been onboarded into the system.
-
Operating System: It further narrows down the results to devices running the Windows operating system.
-
RDP Service Check: The query checks if the RDP service is running on these devices.
-
RDP Connections Allowed: It verifies if the RDP service is configured to allow connections.
-
Additional RDP Configuration: It retrieves additional RDP configuration details such as the service start mode and whether Network Level Authentication (NLA) is required.
-
Output: Finally, it outputs a list of devices with relevant details like device name, exposure score, OS platform and version, and RDP configuration status.
The purpose of this query is to identify potential security risks associated with RDP being enabled on Windows workstations, as this can increase the attack surface if not properly secured.
