Think you have a false positive on this rule?

Sid 1-49040

Message

OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt

Summary

This event is generated when an attempt to bypass RDP and get lateral access to other devices, has been detected

Impact

High

Detailed information

An attacker can get access to several devices using a compromised Windows computer that is located behind a Firewall that allows RDP access (configured previously by the Firewall administrator) to that computer. The attacker can force the victim computer to forward RDP requests to other internal computers or servers in an attempt to move laterally inside the victim network

Affected systems

  • Windows computers with RDP access enabled

Ease of attack

Medium. It will require already access to a compromised computer inside the target network

False positives

N/A

False negatives

N/A

Corrective action

Enforce the verification of corresponding protocols to their associated network port using network devices, such as Firewalls or IPS, that are able to detect this mismatch and drop suspicious or malicious connections

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html