Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The Remote Desktop Protocol (RDP) is a common target for attackers because Microsoft Remote Desktop is prevalent in enterprise environments, provides remote access to a Windows device, and leaves credentials exposed in memory. Devices with active Remote Desktop sessions can be enumerated easily with attack tools. This type of reconnaissance does not negatively affect network performance, but an attacker could locate Windows devices to target.
The system might change the risk score for this detection.
Kill Chain
Risk Score
37
Remote Desktop is a built-in tool in Microsoft Windows that enables an authorized remote user to access a Windows system over a network as if they are at the local desktop. If an attacker has stolen Remote Desktop credentials, they can potentially control many Remote Desktop-enabled devices on the network from a single compromised device. To find all of the devices with active RDP sessions, the attacker remotely queries devices with the Microsoft remote procedure call (MSRPC) protocol to call the Terminal Services (TERMSRV) interface. The attacker then receives a list of active RDP sessions on the server and associated clients that they can target.
