Query Details

Rdp Default Listening Port Modification

Query

let Timeframe = 1d; // Choose the best timeframe for your investigation
DeviceRegistryEvents
| where Timestamp > ago(Timeframe)
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp"
| where RegistryValueName == @"PortNumber"
| where RegistryValueData != @"3389"
| where ActionType == @"RegistryValueSet"
| project Timestamp, DeviceName, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessFileName

About this query

RDP default listening port modification

Description

Changing the default port 3389 to a non-standard port, could indicate a potential APT behaviour to avoid being detected abusing RDP connection.

References

Microsoft Defender XDR

MITRE ATT&CK Mapping

Source

  • Microsoft Defender for Endpoint

Versioning

VersionDateComments
1.027/04/2024Initial publish

Explanation

This query looks for any changes made to the default RDP port (3389) on a Windows system, which could indicate potential malicious activity. It checks for modifications to the registry key related to RDP port number and provides information on the device name, previous port number, and the process that made the change. This can help in detecting attackers trying to avoid detection by using non-standard RDP ports.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: April 27, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsTimestampRegistryKeyRegistryValueNameRegistryValueDataActionTypeDeviceNamePreviousRegistryValueNamePreviousRegistryValueDataInitiatingProcessFileName

Operators

whereprojectletago==!=&&||><>=<=+-

MITRE Techniques

Actions

GitHub