Remote Desktop service publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when multiple external connections are made to the port for RDP (3389).

Strategy

Attackers commonly scan the internet for Remote Desktop Protocol (RDP) servers and attempt to brute force accounts. Incoming connections from multiple public IP addresses indicate an exposed instance.

Triage and response

  1. Determine if the affected system is a Windows host. Determine if the service running on the port is a RDP server.
  2. Review all events for connections from unexpected IP addresses.
  3. Review audit logs and related signals for malicious activity. Successful account brute forcing can be identified by many failed login attempts followed by a successful login.
  4. Move RDP to a private network. If you must expose the host through RDP, restrict access with a security group.

This detection is based on data from Network Performance Monitoring.