Versions (2)
Version DetailsCurrent
Rev: 1 • Dec 17, 2024, 12:00 PMET INFO Suspicious Batch Script - Allow Inbound RDP Rule Set in Windows Firewall
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Suspicious Batch Script - Allow Inbound RDP Rule Set in Windows Firewall"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|0a|netsh"; nocase; content:"advfirewall|20|firewall|20|add|20|rule"; nocase; content:"|20|dir=in"; nocase; content:"|20|action=allow"; nocase; content:"|20|protocol=TCP"; nocase; content:"|20|localport=3389"; nocase; fast_pattern; pcre:"/^netsh(?:.*?(?:dir|action|protocol)=.*?){3}.*?localport=3389/mi"; classtype:misc-activity; sid:2058342; rev:1; metadata:attack_target Client_and_Server, created_at 2024_12_17, deployment Perimeter, deployment Internal, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_12_17;)
Dec 17, 2024, 12:00 PM
Dec 17, 2024, 12:00 PM
Dec 17, 2024, 10:34 PM
Jul 7, 2025, 9:34 PM
rules/emerging-info.rules