Skip to main content

Outbound RDP traffic indicating brute force activity

ID:rdp_brute_force
Data type:IP
Severity:
Low
MITRE ATT&CK:TA0008:T1021.001

Description

AlphaSOC detected excessive outbound RDP connections. This finding can indicate service exploitation in conjuction with brute force methods to gain unauthorized system access via RDP port 3389. Terminated, newly established but immediately closed, and indeterminate state connections are analyzed to determine brute force activity.

Impact

RDP brute force attacks can allow adversaries to gain unauthorized system access, move laterally within the network, and obtain remote control. Threat actors can use this to gain access to other internal services through brute force and exploit compromised systems for data theft and credential harvesting.

Severity

SeverityCondition
Low
Excessive outbound RDP traffic with high byte count

Investigation and Remediation

Investigate event logs for RDP connection attempts to determine the scope of the activity and identify the source IP addresses. Block these IP adresses at the firewall to prevent further attempts and reset any potentially compromised credentials. Conduct a thorough scan of affected systems to identify any unathorized changes.