Rdp Default Listening Port Modification
Query
let Timeframe = 1d; // Choose the best timeframe for your investigation
DeviceRegistryEvents
| where Timestamp > ago(Timeframe)
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp"
| where RegistryValueName == @"PortNumber"
| where RegistryValueData != @"3389"
| where ActionType == @"RegistryValueSet"
| project Timestamp, DeviceName, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessFileNameAbout this query
RDP default listening port modification
Description
Changing the default port 3389 to a non-standard port, could indicate a potential APT behaviour to avoid being detected abusing RDP connection.
References
Microsoft Defender XDR
MITRE ATT&CK Mapping
- Tactic: Command and Control
- Technique ID: T1571
- Non-Standard Port
Source
- Microsoft Defender for Endpoint
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 27/04/2024 | Initial publish |
Explanation
This query looks for any changes made to the default RDP port (3389) on a Windows system, which could indicate potential malicious activity. It checks for modifications to the registry key related to RDP port number and provides information on the device name, previous port number, and the process that made the change. This can help in detecting attackers trying to avoid detection by using non-standard RDP ports.
Details

Michalis Michalos
Released: April 27, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsTimestampRegistryKeyRegistryValueNameRegistryValueDataActionTypeDeviceNamePreviousRegistryValueNamePreviousRegistryValueDataInitiatingProcessFileName
Operators
whereprojectletago==!=&&||><>=<=+-
MITRE Techniques