Skip to content

Hide Navigation Hide TOC

RDP Connection Allowed Via Netsh.EXE (01aeb693-138d-49d2-9403-c4f52d7d3d62)

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

Cluster A Galaxy A Cluster B Galaxy B Level
RDP Connection Allowed Via Netsh.EXE (01aeb693-138d-49d2-9403-c4f52d7d3d62) Sigma-Rules Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 1
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 2