Detection and protection against RDP attacks

Among the cyberattacks that target companies, RDP brute force attacks are the most frequently used by adversaries, especially where systems are directly exposed to the Internet. Advanced EDR detects and protects network computers against attacks that use the RDP (Remote Desktop Protocol) as an infection vector.

Using the RDP protocol, users connect to remote computers and run processes that enable them to use resources on another computer. In the case of non-legitimate users, this protocol can also be used to facilitate lateral movements within a corporate network and access other resources hosted on the IT infrastructure.

When you enable the Brute-force attack against RDP/Credentials compromised after brute-force attack on RDP toggle in the settings profile (see Enabling and configuring the detection of IOAs), Advanced EDR executes these actions on the recipient computers:

Logs remote access attempts via RDP on each protected computer over the last 24 hours, which originated outside the customer network.
Determines whether the computer is subject to an RDP brute force attack.
Detects if any of the computer accounts have already been compromised to access resources on the system.
Blocks RDP connections to mitigate the attack.

IOA associated with an RDP attack

Advanced EDR shows the Brute-force attack against RDP IOA on detecting signs of an RDP attack. In this situation, the computer has received a large number of RDP connections that try to initiate a remote session, but have failed because they do not have valid credentials.

RDP containment modes

Initial RDP attack containment mode

When a computer protected by Advanced EDR receives a large number of RDP connection attempts that fail due to invalid credentials, the protection software generates the Brute-force attack against RDP IOA and puts the computer into Initial RDP attack containment mode. In this mode, RDP access to the computer is blocked from IPs outside the customer network that have sent a large number of connection attempts over the last 24 hours. To allow access by one or more of these IPs, use the Trusted IPs list in the Indicators of attack (IOA) settings. See Trusted IPs.

Restrictive RDP attack containment mode

This is triggered when a computer protected by Advanced EDR already in Initial RDP attack containment mode receives a successful login attempt from an account that previously failed due to invalid credentials. At this point, the protection software generates the Credentials compromised after brute-force attack on RDP IOA and the account is considered to have been compromised. As a mitigation mechanism, all external RDP connections that have tried to connect at least once with the target computer in the previous 24 hours are blocked.

Configuring the response to an RDP attack

When Advanced EDR detects an RDP attack or intrusion, there are two response options: report only, or report and block the attack.

To configure the response to an RDP attack:

In the Indicators of attack settings profile assigned to the computer, click the Advanced settings link in the RDP attacks section. The settings options associated with this IOA are shown.
Select the required option from Response on workstations and/or Response on servers:
- Report and block RDP attacks: Advanced EDR shows the Brute-force attack against RDP IOA in the console and also sets the relevant containment mode for the target computer.
- Report only: Advanced EDR only shows the Brute-force attack against RDP IOA in the console.

For more information, see Indicators of attack (IOA) settings options.

Finding network computers in RDP attack containment mode

You can use the following resources to find computers in containment mode:

With the XX computers in RDP attack containment mode list in the Threat hunting service widget. See Threat Hunting Service.
With the filters available in the Computer protection status list. See Computer protection status.
In the Computer protection status exported file. See Computer protection status.
With a computer tree filter. See Filter computers in RDP attack containment mode.

Viewing the containment status of computers

The console shows the containment status of computers through the following resources:

In the Computer protection status list, through the icon. See Computer protection status.
In the Computer protection status exported list, in the RDP attack containment mode column. See Computer protection status.
In the Encryption status list, through the icon. See Encryption status
In the Encryption status exported list, in the RDP attack containment mode column. See Encryption status
In the Patch management status list, through the icon. See Patch management status.
In the Patch management status exported list, in the RDP attack containment mode column. See Patch management status.
In the Data Control status list, through the icon. See Cytomic Data Watch status.
In the Data Control status exported list, in the RDP attack containment mode column. See Cytomic Data Watch status.
In the Computers list, through the icon. See Computers list.
In the Computers exported list, in the RDP attack containment mode column. See Computers list.
In the Indicators of attack (IOA) list, in the Action column. See Indicators of attack (IOA).
In the Indicators of attack (IOA) exported list, in the Action column. See Indicators of attack (IOA).
In the alerts on the Computer details page. See Computers in containment mode.
On the IOA details page, in the Computer field. See Details page.

Automatic termination of RDP attack containment mode

24 hours after containment mode begins, Advanced EDR evaluates the number of connection attempts via RDP. If it is below certain thresholds, containment mode is terminated, if not, it is extended for a further 24 hours.

IPs blocked during containment mode will continue to be blocked even after the RDP attack has finished. This way, over time, the security software learns the IPs that cybercriminals use to attack a customer network and, when all of them have been blocked, the attack will be rendered ineffective and it will no longer be necessary to use containment mode.

Manual termination of RDP attack containment mode

If an administrator considers that the network is secure and there is no longer any danger of RDP attacks, they can manually terminate the block:

From the lists specified in Viewing the containment status of computers:
- Open one of the lists and select the checkboxes associated with the computers. The toolbar appears.
- Click the End RDP attack containment mode icon .

Or:

Click the context menu to the right of the computer. A drop-down menu appears with the available options.
Select the option End RDP attack containment mode .

From the computer details page
- Open one of the lists specified in Viewing the containment status of computers and click the computer. The Computer details page opens.
- Click End RDP attack containment mode.

When you end RDP attack containment mode, the management console immediately sends the command to all recipient computers. Depending on whether the computer is accessible and operating in real time, the action is executed immediately or the computer goes to the Ending RDP containment mode status, in which case it shows:

A flashing icon in the lists specified in Viewing the containment status of computers.
A warning message on the Computer details page.
A warning message on the IOA details page.

See Configuring real-time communication.

The computer continues in containment mode until the command is executed correctly. If a problem occurs, the command is sent again every 4 hours for the next 7 days. If the action is unable to complete, the console shows the computer status in RDP attack containment mode.

When you manually end containment mode:

All IPs recorded and blocked on the computer are released.
The computer allows RDP connections.

These actions are only executed when the RDP attack containment mode is manually terminated. If the security software automatically ends containment mode, it does not release the IPs and continues to block them.