Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Attack Technique

Remote desktop protocol (RDP) attacks

The remote desktop protocol (RDP) is a powerful tool, but it poses significant security risks if not properly managed. Here’s what you need to know about the latest attacker methods and best practices for improving security.

Definition
How it works
Why attackers use it
Detection
FAQs
Definition

What is the remote desktop protocol?

The remote desktop protocol is included with most Windows operating systems, and is an important part of modern work. It empowers IT administrators to access internal systems for maintenance and support, and enables remote work by allowing employees to connect to the corporate network when working from home.

However, RDP poses significant risks. Due to its prevalence and the level of access it provides, it’s become a major target for cybercriminals. 

How it works

How RDP attacks work

RDP typically operates over TCP port 3389, the assigned port that gives users the ability to remotely connect to a corporate device or system. Because this is typically the assigned port, attackers know to target it.

Remote desktop connections are also an opportunity to leverage weak credentials. Employees notoriously use the same password across multiple devices and accounts — including logins for remote desktop access — making them highly susceptible to credential stuffing attacks.

Remote Desktop Protocol attack process
Why attackers use it

Why attackers use RDP

Attackers frequently use RDP to gain unauthorized access to network resources. Successful RDP connections not only open the door to sensitive data and critical systems, but can be used as a foothold to launch further attacks. Despite its utility, RDP has several security weaknesses that have been exploited in numerous ways:

  • Brute force attacks: Hackers often use automated scripts to brute-force RDP login credentials. Once access is gained, attackers can move laterally within a network, deploy ransomware, and exfiltrate sensitive data.
  • Exposed RDP servers: Misconfigured RDP instances exposed to the internet are easy targets for attackers. Many organizations leave RDP open without VPNs or firewall restrictions, making them highly vulnerable to attacks.
  • Ransomware delivery: RDP servers with weak passwords or inadequate access controls are often the first point of entry in ransomware attacks.
  • Credential harvesting: Attackers may exploit vulnerabilities in RDP to steal credentials, either through man-in-the-middle attacks or by accessing poorly configured authentication protocols.
Platform Detections

How to prevent and detect suspicious RDP activity

Secure remote desktops are crucial for preventing security breaches and unauthorized access. 

To help reduce the risk of RDP-related breaches, organizations can:

  • Limit RDP Exposure: Use VPNs or zero trust network access (ZTNA) to shield RDP services from the internet. Exposing RDP directly is a major risk, especially in environments where attackers can scan for open RDP ports.
  • Geo-block IP addresses or restrict IPs allowed to initiate RDP sessions through firewall rules.
  • Enforce multi-factor authentication (MFA): Require MFA for RDP logins to add an additional layer of protection against credential theft and brute-force attacks. MFA ensures that even if a password is compromised, attackers still need a second authentication factor.
  • Enable network-level authentication (NLA): NLA forces users to authenticate before an RDP session is established. It’s an important step in mitigating unauthorized access since it ensures that only legitimate users can connect.
  • Use password lockout policies: Configure account lockout mechanisms that temporarily block login attempts after several failed tries.

However, improving security requires more than prevention — password enforcement and patches won’t keep every attack attempt at bay. For this reason, additional security measures are critical. Most importantly, all organizations need a reliable way to quickly identify unusual attempts to establish RDP connections.

Vectra AI’s Suspicious Remote Desktop Protocol detection identifies deviations from normal RDP usage patterns. For example: When an internal server receives multiple RDP login attempts from an external IP address during non-business hours, or there’s a sudden spike in connection requests from an unfamiliar location, these activities would automatically raise alarm bells. These detections are automatically triaged, correlated, and analyzed using advanced AI and machine learning, allowing security analysts to quickly determine when further investigation is needed.

Detection
RDP Recon
Learn more
Detection
Suspicious Remote Desktop Protocol
Learn more
Explore all detections

Protect your network with advanced detections

The Suspicious RDP detection is one of dozens of advanced AI-driven detections available in the Vectra AI Platform, which covers 90% of relevant MITRE ATT&CK techniques. Together, they equip security analysts to prevent both known and unknown attacks early in their progression.

Explore the Platform
Learn more

FAQs