Outbound RDP traffic indicating brute force activity
Description
AlphaSOC detected excessive outbound RDP connections. This finding can indicate service exploitation in conjuction with brute force methods to gain unauthorized system access via RDP port 3389. Terminated, newly established but immediately closed, and indeterminate state connections are analyzed to determine brute force activity.
Impact
RDP brute force attacks can allow adversaries to gain unauthorized system access, move laterally within the network, and obtain remote control. Threat actors can use this to gain access to other internal services through brute force and exploit compromised systems for data theft and credential harvesting.
Severity
Severity | Condition |
---|---|
Low | Excessive outbound RDP traffic with high byte count |
Investigation and Remediation
Investigate event logs for RDP connection attempts to determine the scope of the activity and identify the source IP addresses. Block these IP adresses at the firewall to prevent further attempts and reset any potentially compromised credentials. Conduct a thorough scan of affected systems to identify any unathorized changes.