Suspicious Remote Desktop

Suspicious Remote Desktop

What is RDP?

RDP stands for Remote Desktop Protocol, a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. It is widely used for managing servers and computers remotely, allowing for full control of the remote device including access to its applications and files.

Why Do Attackers Use RDP?

Attackers use RDP for various malicious purposes due to its ability to provide complete control over a remote system. RDP is a proprietary protocol developed by Microsoft that allows a user to connect to another computer over a network connection with a graphical interface. Here are the key reasons why attackers exploit RDP:

  1. Direct System Access: RDP provides full control of the remote system's desktop, making it an attractive target for attackers seeking to execute commands, install malware, or carry out other malicious activities as if they were the legitimate user.
  2. Privilege Escalation: If attackers gain access to an RDP session of a user with administrative privileges, they can exploit this to gain elevated access and control over the system or network.
  3. Data Exfiltration: Once an attacker has access to a system via RDP, they can easily transfer data from the compromised system to their own, leading to data breaches.
  4. Deploying Malware and Ransomware: Attackers often use RDP access to install malware, including ransomware, which can encrypt critical data and systems, leading to demands for ransom payments.
  5. Creating Backdoors: By accessing a system via RDP, attackers can create backdoors, making it easier for them to re-enter the system later, even if the original vulnerability is patched.
  6. Bypassing Network Security: RDP sessions can sometimes bypass certain types of network security measures, allowing attackers to operate undetected.
  7. Persistence: Maintaining access through RDP can provide attackers with persistent access to a compromised system, enabling long-term exploitation.
  8. Lateral Movement: Once inside a network via an RDP session, attackers can move laterally across the network, accessing other systems and escalating the scope of the breach.
  9. Resource Exploitation: Attackers might use the compromised systems accessed via RDP for other purposes, such as cryptocurrency mining or as part of a botnet for DDoS attacks.
  10. Surveillance and Espionage: Unauthorized RDP access can be used to monitor user activities, keystrokes, and other sensitive actions on the compromised system.

Due to these risks, securing RDP sessions is crucial. This includes implementing strong password policies, using multi-factor authentication, enabling network level authentication (NLA), restricting access via firewalls, regularly updating and patching RDP clients and servers, and monitoring network traffic for unusual RDP activity.

Signs of Suspicious RDP Activity

Recognizing suspicious Remote Desktop Protocol activity is crucial for early detection of potential security breaches. Here are key signs that may indicate suspicious RDP activity:

  1. Unusual Login Times: RDP logins occurring at odd hours, especially outside of normal business hours, can be a sign of unauthorized access.
  2. Unexpected RDP Traffic: A sudden increase or unusual patterns in RDP traffic, particularly from external IP addresses, can indicate unauthorized attempts to connect.
  3. Multiple Failed Login Attempts: Repeated failed attempts to log in via RDP might suggest brute force attacks aiming to guess credentials.
  4. Unknown Remote Desktop Users: Unfamiliar user accounts engaging in RDP sessions can be a red flag, especially if they have not been authorized for remote access.
  5. High Frequency of Disconnections and Reconnections: Frequent disconnections and reconnections in RDP sessions may indicate an attacker trying to maintain access while avoiding detection.
  6. Changes in RDP Configuration: Unauthorized changes to RDP settings, such as disabling security features or adding new user accounts with remote access privileges.
  7. Unusual System Behavior During RDP Sessions: Suspicious activities during an RDP session, like access to sensitive files or systems, installation of software, or modifications to system settings.
  8. Geographical Irregularities: RDP connections originating from locations that are not typical for your users or from high-risk geographical areas.
  9. Alerts from Security Systems: Security solutions like Intrusion Detection Systems (IDS) or Security Information and Event Management (SIEM) systems flagging unusual RDP activities.
  10. Unexplained Administrative Actions: Activities that require administrative privileges happening without knowledge or consent of the system administrators.
  11. Anomalies in Log Files: Unusual entries in security logs, such as unexpected RDP logins or changes in log-in patterns.
  12. Use of Default or Weak Credentials: Access attempts or successful connections using default, weak, or commonly used credentials.

Detecting and responding to these signs requires a combination of technical security controls and vigilant monitoring. Implementing measures such as account lockouts after multiple failed login attempts, using complex passwords, enabling multi-factor authentication, and regularly reviewing logs can significantly enhance an organization's defense against illicit RDP activities.

How to Investigate Suspicious RDP Activities with Vectra AI

  • When detecting unusual keyboard layout patterns, investigate whether the user of the internal host is proficient in the language associated with the flagged keyboard layout.
  • In the case of an anomaly related to the RDP product ID, check if the IT department has recently installed new RDP client software, or alternatively, ask the host's user if they have made such an installation.
White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections