although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.

t1021
t1021.001
zeek
sigma

Techniques

t1021
t1021.001

Sample rules

Publicly Accessible RDP Service

source: sigma
technicques:
- t1021
- t1021.001

Description

Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.

Detection logic

condition: not selection
selection:
  id.orig_h|cidr:
  - ::1/128
  - 10.0.0.0/8
  - 127.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - 2620:83:8000::/48
  - fc00::/7
  - fe80::/10