Detection and protection against RDP attacks

Among the cyberattacks that target companies, RDP brute force attacks are the most frequently used by adversaries, especially where systems are directly exposed to the Internet. Advanced EDR detects and protects network computers against attacks that use the RDP (Remote Desktop Protocol) as an infection vector.

Using the RDP protocol, users connect to remote computers and run processes that enable them to use resources on another computer. In the case of non-legitimate users, this protocol can also be used to facilitate lateral movements within a corporate network and access other resources hosted on the IT infrastructure.

When you enable the RDP attacks toggle in the settings profile (see Enabling and modifying IOA detection), Advanced EDR executes these actions on the recipient computers:

• Logs remote access attempts via RDP on each protected computer over the last 24 hours, which originated outside the customer network.

• Determines whether the computer is subject to an RDP brute force attack.

• Detects if any of the computer accounts have already been compromised to access resources on the system.

• Blocks RDP connections to mitigate the attack.

IOA detection associated with an RDP attack

When a computer receives a large number of RDP connection attempts that try to initiate a remote session but fail due to invalid credentials, Advanced EDR generates a Brute-force attack against RDP detection.

RDP containment modes

Initial RDP attack containment mode

When a computer protected by Advanced EDR receives a large number of RDP connection attempts that fail due to invalid credentials, the security software generates a Brute-force attack against RDP IOA and puts the computer into Initial RDP attack containment mode. In this mode, RDP access to the computer is blocked from IPs outside the customer network that have sent a large number of connection attempts over the last 24 hours. To allow access by one or more of these IPs, use the Trusted IPs list in the Indicators of attack (IOA) settings. See Trusted IPs.

Restrictive RDP attack containment mode

When the attacker is able to successfully log in to an account that previously failed due to invalid credentials, the computer in Initial RDP attack containment mode moves to the Restrictive RDP attack containment mode. The security software generates a Credentials compromised after brute-force attack on RDP IOA. The account is considered to be compromised. All external RDP connections that have tried to connect at least once with the target computer in the previous 24 hours are blocked.

Configuring the response to an RDP attack

When Advanced EDR detects an RDP attack or intrusion, there are two response options: report only, or report and block the attack.

To configure the response to an RDP attack:

• In the Indicators of attack settings profile assigned to the computer, click the Advanced settings link in the RDP attacks section. The settings options associated with this IOA appear.

• Select the required option from Response on workstations and/or Response on servers:

  • Report and block RDP attacks: Advanced EDR generates a Brute-force attack against RDP detection in the console and puts the attacked computer into the appropriate containment mode.

  • Report only: Advanced EDR only generates a Brute-force attack against RDP detection in the console.

For more information, see Indicators of attack (IOA) settings options.

Finding network computers in RDP attack containment mode

You can use these resources to find computers in containment mode:

• The XX computers in RDP attack containment mode list in the Threat hunting service widget. See Threat Hunting Service.

• The filters available in the Computer protection status list. See Computer protection status.

• The Computer protection status exported file. See Computer protection status.

• A computer tree filter. See Filter computers in RDP attack containment mode.

Viewing a computer containment status

The console shows the containment status of computers through these resources:

• The Computer protection status list, through the icon. See Computer protection status.

• The Computer protection status exported list, in the RDP attack containment mode column. See Computer protection status.

• The Encryption status list, through the icon. See Encryption status

• The Encryption status exported list, in the RDP attack containment mode column. See Encryption status

• The Patch management status list, through the icon. See Patch management status.

• The Patch management status exported list, in the RDP attack containment mode column. See Patch management status.

• The Data Control status list, through the icon. See Cytomic Data Watch status.

• The Data Control status exported list, in the RDP attack containment mode column. See Cytomic Data Watch status.

• The Computers list, through the icon. See Computers list.

• The Computers exported list, in the RDP attack containment mode column. See Computers list.

• The Indicators of attack (IOA) list, in the Action column. See Indicators of attack (IOA).

• The Indicators of attack (IOA) exported list, in the Action column. See Indicators of attack (IOA).

• The alerts on the Computer details page. See Computers in containment mode .

• The IOA details page, in the Computer field. See Details page.

Automatic termination of RDP attack containment mode

Twenty-four hours after containment mode begins, Advanced EDR evaluates the number of connection attempts via RDP. If it is below default threshold, Advanced EDR automatically ends RDP attack containment mode. If the attempts continue, then the containment mode continues for another 24 hours.

IPs blocked during containment mode continue to be blocked even after the RDP attack has finished. This way, over time, the security software learns the IP addresses that cybercriminals use to attack a customer network and, when all of them have been blocked, the attack is rendered ineffective and it is no longer necessary to use containment mode.

Manual termination of RDP attack containment mode

When you consider the network secure and there is no longer any danger of an RDP attack, you can manually end RDP attack containment mode for a computer:

• From the lists specified in Viewing a computer containment status:

  • Open one of the lists and select the checkboxes associated with the computers. The toolbar appears.

  • Click the End RDP attack containment mode icon .

Or:

• Click the context menu to the right of the computer. A drop-down menu appears with the available options.

• Select the option End RDP attack containment mode .

• From the computer details page:

  • Open one of the lists specified in Viewing a computer containment status and select the computer. The Computer details page opens.

  • Click End RDP attack containment mode.

When you manually end containment mode, the management console immediately sends the command to all recipient computers. When the device is accessible and has real-time communication enabled, the action is executed immediately. If the security software is unable to contact the computer, the computer moves to Ending RDP containment mode status and:

• A flashing icon appears in the lists specified in Viewing a computer containment status.

• A warning message appears on the Computer details page.

• A warning message on the IOA details page.

See Configuring real-time communication.

The computer continues in containment mode until the command is executed correctly. The security software sends the command again every 4 hours for the next 7 days If the action is unable to complete, the security software management console shows the computer status in RDP attack containment mode.

After you manually end containment mode, Advanced EDR takes these actions:

• All IPs recorded and blocked on the computer are released.

• The computer allows RDP connections.

If the security software automatically ends containment mode, it does not release the IPs and continues to block them.