Remote Desktop Listening Default Port - Detect

ID: remote-desktop-default-port

Severity: info

Author: asteria121

Tags: windows,rdp,audit

Description

The Remote Desktop Protocol (RDP) service listens on a default port (TCP 3389), which is commonly targeted by attackers.

YAML Source

id: remote-desktop-default-port

info:
  name: Remote Desktop Listening Default Port - Detect
  author: asteria121
  severity: info
  description: |
    The Remote Desktop Protocol (RDP) service listens on a default port (TCP 3389), which is commonly targeted by attackers.
  impact: |
    Exposure of the default RDP port (TCP 3389) increases the risk of brute-force attacks and unauthorized access. This can lead to system compromise, data breaches, and ransomware deployment.
  remediation: |
    Change the default RDP listening port to a non-standard port to reduce exposure.
  tags: windows,rdp,audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $rdpService = Get-Service -Name TermService;
      $rdpPort = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp").PortNumber;
      if ($rdpService.Status -eq 'Running' -and $rdpPort -eq 3389) { Write-Host "True" } else { Write-Host "False" }

    matchers:
      - type: word
        words:
          - "True"
# digest: 4a0a0047304502203cf68ab0745eccbb239d22000f87708c3173f59b0f02c50e27b64ae7a6652d0c02210092bd0786242b83434a3f954599cce2f64d78ba54eef35b9686232c67f712dc7f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "code/windows/audit/remote-desktop-default-port.yaml"

View on Github