RDP Recon

Triggers

• A host is making multiple RDP connection attempts with most of the connections failing to complete
• The connection attempts can target one or more RDP servers
• Even when a single RDP server is targeted, multiple accounts may still be involved in the encrypted part of the RDP connection setup

Possible Root Causes

• An attacker is trying to determine the existence of accounts in order to progress to the next step in the attack
• The attacker is working through a list of accounts with well-known default passwords in an attempt to find a working account/password combination
• This host is a jump server and several users are unsuccessfully attempting to RDP to other servers from it

Business Impact

• A scan via RDP is an effective way for an attacker to determine what accounts are available inside an organization’s network and which RDP servers accept logins via the accounts
• If one of the targets has not been normally accessed via RDP, the nature of the target server will provide additional guidance regarding the potential business impact
• Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
• This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

• Inquire whether the target of the RDP connection attempts should even be setup to accept RDP connections
• Inquire whether this host should be initiating the number of RDP connections to the targets listed in the detection
• If this host is a jump server, retrieve the logs of the jump server to see what upstream connections are the originators of the large number of failed RDP connections