The Suspicious Remote Desktop Protocol (RDP) detection identifies unusual or unauthorized attempts to establish remote desktop connections to internal systems. RDP is commonly used for remote administration, but it is also a frequent target for attackers seeking to gain unauthorized access to network resources. Detecting suspicious RDP activity is crucial to prevent potential security breaches and unauthorized access.
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.
Detection Profile
Triggers
A host connects to an internal RDP server with a keyboard layout or a product ID different than the one usually seen in conjunction with the specified RDP client token
A host connects to an internal RDP server with a keyboard layout that is unusual for that RDP server
A host connects to an internal RDP server with a keyboard layout that is different from those usually seen on the network
Possible Root Causes
An external foreign attacker who has taken over control of an internal host is using it with unusual keyboard layouts to connect to RDP servers to move laterally in the network
An external attacker who has taken over control of an internal host has brought along their own RDP stack and is using it to connect to internal RDP servers to move laterally in the network
An employee has switched to their native keyboard layout while accessing an RDP server
An employee has installed a new RDP client with a new product ID and is accessing an RDP server
Business Impact
Along with SSH, RDP is one of the most useful lateral movement protocols for attackers as it allows remote control of the target as well as the copying of files across the connection
This type of control and data acquisition may happen well in advance of actual exfiltration attempts and represents a great chance to head off attacks before any substantial damage occurs
Steps to Verify
For keyboard layout anomalies, inquire whether the user of the internal host is fluent in the language of the flagged keyboard layout
For an RDP product id anomaly, inquire whether IT has installed new RDP client software or ask the user of the host whether they have done so
Example of a Suspicious Remote Desktop Protocol Session
Vectra Recall tracks and parses all RDP sessions that are seen on the network. In Vectra Recall, open the saved search “RDP Table view”, you will see a list of recent RDP sessions with the most common fields of interest will be listed. You should look to exclude sessions which are expected for your organisation to find any suspicious instances, for example you might want to exclude jump servers or system admins who typically leverage RDP for their dayto-day operations.
A good place to start is to look at the keyboard_layout in use in RDP connections. Commonly, this information is encrypted. If you search by:
NOT keyboard_layout: “encrypted RDP keyboard”
You will see all unencrypted keyboard layouts, look through these, and see if any keyboard layouts don’t align with where your normal users are based. If you are an American organisation, and spot a French keyboard layout, that could be suspicious.
You could also look for abnormal desktop screen sizes, which can be symptomatic of malicious actors masquerading as normal users. But first you need to remove encrypted communications, where the screen size will be shown as 0 with this search:
NOT desktop_height: 0 AND NOT desktop_width: 0
You will see the request dimensions for any remaining values. Values which do not represent standard screen sizes (1280 x 720 etc.) are suspicious and may warrant further investigation.
Finally, you could look to see if any RDP requests were made from external locations. External sources should not be able to make requests against internal instances. To find these requests, search for:
NOT local_orig: “true”
For each item listed here, check and see if the IP is from a known, safe, subnet, check what machine is being RDP’d to, and check the cookie that was used to log in, these will indicate if a connection warrants further investigation.
In a recent investigation RDP data came to be a very handy source of evidence, RDP sessions inherited whatever the source systems details are (hostname, keyboard layout, screensize etc). Leveraging this we can look for unusual hostnames leveraging RDP on our network, would you expect a guest device to RDP? If your organisation uses clear precise naming convention for hosts we can filter out the expected hosts and look for unusual hosts.
For example leveraging the following query we’ll find any clients with default hostnames initiating RDP sessions, can you account for these clients?
client_name:DESKTOP-* OR client_name:WIN-*
We’ve found this to be a very good indicator in several customer environments while hunting for suspicious sessions.
Suspicious Remote Desktop Protocol
Possible root causes
Malicious Detection
An attacker attempting to gain unauthorized access to internal systems using brute-force attacks or stolen credentials.
Malware on an external host attempting to establish RDP connections for command and control purposes.
Exploitation of known vulnerabilities in the RDP service to gain unauthorized entry.
Benign Detection
IT administrators accessing internal systems remotely for legitimate maintenance or support activities.
Remote workers using RDP to connect to the corporate network.
Authorized third-party vendors performing remote support or system updates.
Suspicious Remote Desktop Protocol
Example scenarios
Scenario 1: An internal server receives multiple RDP login attempts from an external IP address during non-business hours. Investigation reveals that an attacker used brute-force attacks to gain unauthorized access.
Scenario 2: A sudden increase in RDP connection attempts from an unfamiliar geographic location is detected. Further analysis indicates that a legitimate third-party vendor was performing scheduled maintenance, causing the detection to trigger.
Suspicious Remote Desktop Protocol
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Unauthorized Access
Successful unauthorized RDP connections can lead to unauthorized access to sensitive data and critical systems.
Data Breach
Attackers can exfiltrate data, leading to potential financial and reputational damage.
Network Compromise
Unauthorized RDP access can be used as a foothold to launch further attacks, including lateral movement, privilege escalation, and deployment of malware.
Suspicious Remote Desktop Protocol
Steps to investigate
Review RDP Logs
Examine logs for RDP login attempts, focusing on the frequency, source IP addresses, and times of the attempts.
Identify the Source
Determine if the source of the RDP attempts is known and authorized. Check if the IP address belongs to a trusted entity.
Check for Associated Activity
Look for other signs of compromise or related suspicious behavior, such as failed login attempts, unusual network traffic, or malware alerts.
Consult with IT and Security Teams
Confirm if any authorized remote access activities were scheduled or performed by IT administrators, remote workers, or third-party vendors.
Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.
Don't just read about the possibilities – experience them.
What is Suspicious Remote Desktop Protocol (RDP) activity?
Suspicious RDP activity involves unusual or unauthorized attempts to establish remote desktop connections to internal systems, often indicative of potential security breaches or unauthorized access attempts.
What are the common signs of Suspicious RDP activity?
Common signs include multiple RDP login attempts from unknown external IP addresses, high frequency of failed login attempts, connections from unusual geographic locations, and use of default or weak credentials.
Can legitimate activities trigger this detection?
Yes, legitimate IT maintenance, remote work, and third-party support activities can generate RDP traffic that may trigger this detection.
How does Vectra AI identify Suspicious RDP activity?
Vectra AI uses advanced AI algorithms and machine learning to analyze RDP patterns and identify anomalies indicative of suspicious remote desktop activity.
What is the business impact of Suspicious RDP activity?
It can lead to unauthorized access, data breaches, and network compromise, resulting in financial and reputational damage.
How can I detect Suspicious RDP activity in my network?
Detect Suspicious RDP activity by monitoring for multiple login attempts, especially from external IP addresses, high frequency of failed attempts, connections during non-business hours, and the use of uncommon ports or weak credentials.
Why is Suspicious RDP activity a significant threat?
It can lead to unauthorized access, data breaches, and network compromise, as attackers use RDP to gain a foothold in the network and launch further attacks.
What steps should I take if I detect Suspicious RDP activity?
Investigate the source and scope of the RDP attempts, check for signs of compromise, review RDP logs, and consult with IT and security teams to verify if the activity is legitimate.
What tools can help verify the presence of Suspicious RDP activity?
Tools such as RDP logs, network traffic analysis, firewall logs, and endpoint detection and response (EDR) systems can help verify and investigate suspicious RDP activities.
How can I prevent Suspicious RDP activity?
Implement robust RDP monitoring and alerting, enforce strict access controls, regularly update and patch RDP services, and use multi-factor authentication (MFA) to minimize vulnerabilities.