NF - POLICY - Remote Desktop connection request on non-standard port

NF – POLICY – Remote Desktop connection request on non-standard port

This alert is triggered when a Remote Desktop Protocol (RDP) connection is attempted from an external network to the internal network on a non-standard port (any port other than 3389). This may indicate an attempt to bypass standard RDP monitoring or restrictions.

Categories:

Radiflow

ID Number

5024151

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"NF - POLICY - Remote Desktop connection request on non-standard port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; reference:url,networkforensic.dk; classtype:policy-violation; metadata:12112017; sid:5024151; rev:1;)

Severity

High

Recommendations/Investigative actions

Restrict RDP access to the standard port (3389) or, if possible, block external RDP connections altogether to reduce exposure. Check the internal device receiving the connection attempt for potential vulnerabilities or signs of unauthorized access.