code/windows/audit/remote-desktop-default-port.yaml

id: remote-desktop-default-port

info:
  name: Remote Desktop Listening Default Port - Detect
  author: asteria121
  severity: info
  description: |
    The Remote Desktop Protocol (RDP) service listens on a default port (TCP 3389), which is commonly targeted by attackers.
  impact: |
    Exposure of the default RDP port (TCP 3389) increases the risk of brute-force attacks and unauthorized access. This can lead to system compromise, data breaches, and ransomware deployment.
  remediation: |
    Change the default RDP listening port to a non-standard port to reduce exposure.
  tags: windows,rdp,audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $rdpService = Get-Service -Name TermService;
      $rdpPort = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp").PortNumber;
      if ($rdpService.Status -eq 'Running' -and $rdpPort -eq 3389) { Write-Host "True" } else { Write-Host "False" }

    matchers:
      - type: word
        words:
          - "True"
# digest: 4a0a0047304502203cf68ab0745eccbb239d22000f87708c3173f59b0f02c50e27b64ae7a6652d0c02210092bd0786242b83434a3f954599cce2f64d78ba54eef35b9686232c67f712dc7f:922c64590222798bb761d5b6d8e72950
feat: add rdp default port check 2025-01-24 00:50:47 +09:00			`id: remote-desktop-default-port`

			`info:`
Update remote-desktop-default-port.yaml 2025-03-04 21:53:39 +05:30			`name: Remote Desktop Listening Default Port - Detect`
feat: add rdp default port check 2025-01-24 00:50:47 +09:00			`author: asteria121`
severity - changes 2025-02-26 18:02:04 +05:30			`severity: info`
Update remote-desktop-default-port.yaml 2025-03-04 21:53:39 +05:30			`description: \|`
			`The Remote Desktop Protocol (RDP) service listens on a default port (TCP 3389), which is commonly targeted by attackers.`
feat: add rdp default port check 2025-01-24 00:50:47 +09:00			`impact: \|`
Update remote-desktop-default-port.yaml 2025-03-04 21:53:39 +05:30			`Exposure of the default RDP port (TCP 3389) increases the risk of brute-force attacks and unauthorized access. This can lead to system compromise, data breaches, and ransomware deployment.`
feat: add rdp default port check 2025-01-24 00:50:47 +09:00			`remediation: \|`
Update remote-desktop-default-port.yaml 2025-03-04 21:53:39 +05:30			`Change the default RDP listening port to a non-standard port to reduce exposure.`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00			`tags: windows,rdp,audit`
feat: add rdp default port check 2025-01-24 00:50:47 +09:00
			`self-contained: true`

			`code:`
			`- pre-condition: \|`
			`IsWindows();`
			`engine:`
			`- powershell`
			`- powershell.exe`
			`args:`
			`- -ExecutionPolicy`
			`- Bypass`
			`pattern: "*.ps1"`
			`source: \|`
			`$rdpService = Get-Service -Name TermService;`
			`$rdpPort = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp").PortNumber;`
			`if ($rdpService.Status -eq 'Running' -and $rdpPort -eq 3389) { Write-Host "True" } else { Write-Host "False" }`

			`matchers:`
			`- type: word`
			`words:`
			`- "True"`
chore: sign templates 🤖 2025-03-06 09:24:38 +00:00			`# digest: 4a0a0047304502203cf68ab0745eccbb239d22000f87708c3173f59b0f02c50e27b64ae7a6652d0c02210092bd0786242b83434a3f954599cce2f64d78ba54eef35b9686232c67f712dc7f:922c64590222798bb761d5b6d8e72950`