RDP (Remote Desktop Protocol) from the Internet

Remote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.

Attack Chain

1. An attacker identifies a publicly accessible RDP service.
2. The attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).
3. Upon successful authentication or exploitation, the attacker gains remote access to the targeted system.
4. The attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.
5. The attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.
6. The attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).
7. The attacker gathers sensitive data from internal systems.
8. The attacker exfiltrates the stolen data to an external server or deploys ransomware.

Impact

Compromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.

Recommendation

• Deploy the “RDP (Remote Desktop Protocol) from the Internet” Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.
• Review firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.
• Enable and monitor network traffic logs (category: network_traffic, product: windows|linux|macos) to provide data for the Sigma rule.
• Investigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.
• Implement network segmentation to limit the blast radius of a potential RDP compromise.