• A host is making multiple RDP connection attempts with most of the connections failing to complete
  • The connection attempts can target one or more RDP servers
  • Even when a single RDP server is targeted, multiple accounts may still be involved in the encrypted part of the RDP connection setup

Possible Root Causes

  • An attacker is trying to determine the existence of accounts in order to progress to the next step in the attack
  • The attacker is working through a list of accounts with well-known default passwords in an attempt to find a working account/password combination
  • This host is a jump server and several users are unsuccessfully attempting to RDP to other servers from it

Business Impact

  • A scan via RDP is an effective way for an attacker to determine what accounts are available inside an organization’s network and which RDP servers accept logins via the accounts
  • If one of the targets has not been normally accessed via RDP, the nature of the target server will provide additional guidance regarding the potential business impact
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

  • Inquire whether the target of the RDP connection attempts should even be setup to accept RDP connections
  • Inquire whether this host should be initiating the number of RDP connections to the targets listed in the detection
  • If this host is a jump server, retrieve the logs of the jump server to see what upstream connections are the originators of the large number of failed RDP connections