- Attacker preparing for lateral movement
An attacker who has gained initial access to a corporate network scans internal systems to identify which hosts have RDP enabled. They later attempt to use stolen credentials to move laterally. - Administrator performing security assessments
A security team runs an internal scan to detect exposed RDP services and ensure that only authorized systems have remote access enabled. This legitimate activity is flagged, but investigation confirms it is an approved security task.
RDP Recon
Detection overview
Remote Desktop Protocol (RDP) is a common method for remote access, allowing users to interact with a system as if they were physically present. However, attackers often use RDP reconnaissance (RDP Recon) to identify available remote desktop services within a network, evaluate potential targets, and determine authentication methods. This detection identifies suspicious behavior related to RDP enumeration, which can indicate an attacker preparing for lateral movement or unauthorized access.
Triggers
- A host is making multiple RDP connection attempts with most of the connections failing to complete
- The connection attempts can target one or more RDP servers
- Even when a single RDP server is targeted, multiple accounts may still be involved in the encrypted part of the RDP connection setup
Possible Root Causes
- An attacker is trying to determine the existence of accounts in order to progress to the next step in the attack
- The attacker is working through a list of accounts with well-known default passwords in an attempt to find a working account/password combination
- This host is a jump server and several users are unsuccessfully attempting to RDP to other servers from it
Business Impact
- A scan via RDP is an effective way for an attacker to determine what accounts are available inside an organization’s network and which RDP servers accept logins via the accounts
- If one of the targets has not been normally accessed via RDP, the nature of the target server will provide additional guidance regarding the potential business impact
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
Steps to Verify
- Inquire whether the target of the RDP connection attempts should even be setup to accept RDP connections
- Inquire whether this host should be initiating the number of RDP connections to the targets listed in the detection
- If this host is a jump server, retrieve the logs of the jump server to see what upstream connections are the originators of the large number of failed RDP connections
RDP Recon
Possible root causes
Malicious Detection
Attackers use RDP reconnaissance to identify accessible remote desktop services within a network. Once they locate an RDP-enabled system, they may attempt brute-force authentication, exploit vulnerabilities, or use stolen credentials to gain unauthorized access. Successful exploitation of RDP can provide direct control over a compromised system, allowing an attacker to move laterally, exfiltrate data, or deploy ransomware. This behavior is commonly associated with advanced persistent threats (APTs) and ransomware operators.
Benign Detection
Legitimate administrators may also perform RDP reconnaissance when troubleshooting connectivity issues, verifying system availability, or auditing remote access configurations. Security teams might scan for exposed RDP services to identify misconfigurations or security risks. However, these activities typically originate from known administrative tools and follow expected usage patterns, which differentiate them from malicious reconnaissance.
RDP Recon
Example scenarios
RDP Recon
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Unauthorized access risk
Attackers identifying RDP services may gain unauthorized access, leading to potential data theft or system compromise.
Increased risk of ransomware attacks
RDP exploitation is a common entry point for ransomware, enabling attackers to deploy malware and encrypt critical business data.
Compliance and regulatory concerns
Exposed RDP services may violate compliance standards (e.g., PCI DSS, GDPR) if they lack proper access controls and security measures.
RDP Recon
Steps to investigate
Identify the scanning source
Determine which host initiated the RDP reconnaissance and check whether it is a known administrative system or an unexpected source.
Analyze authentication attempts
Review authentication logs to identify failed login attempts, brute-force attempts, or successful logins from suspicious locations.
Correlate with other suspicious activity
Look for additional detections related to lateral movement, privilege escalation, or unauthorized access attempts.
Validate legitimate usage
Confirm with IT and security teams whether the activity is part of a legitimate administrative task or an internal security scan.
RDP Recon
MITRE ATT&CK techniques covered
RDP Recon