Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Remote Desktop Protocol (RDP) is a common target for attackers because it provides remote access to Windows devices. It is relatively easy to guess weak passwords and then attempt to connect to target devices over RDP. But the impact to a business can be low if the RDP connection is not authenticated, or if the attacker connects to a device with limited privileges. However, these activities should be examined before they facilitate critical and costly attacks.
The system might change the risk score for this detection.
Kill Chain
Risk Score
60
RDP is a feature that enables remote management of a device through a graphical user interface. An attacker can establish an interactive command-and-control (C&C) RDP channel to remotely access a target device and transfer files. Before the attacker can successfully gain access to the target device over RDP, the attacker often needs to acquire the credentials of a user to establish the RDP connection. When the RDP connection is established, the attacker can maintain communication with the target device and take the next steps towards their ultimate attack objectives.
Disable RDP on devices that do not require remote access
Remove the default local Administrators group from the list of approved RDP groups and add specific users to the list
Enforce multi-factor authentication for remote logins
Only allow incoming external RDP connections from trusted devices
Limit the number of RDP login attempts, and then lock user accounts that exceed this number
Enforce security zones by implementing network segmentation and firewall policies to limit how devices can communicate
