Vectra AI Detection: RDP Recon
Vectra AI Threat Briefing: How Attackers Use Shodan & FOFA

Threat Briefing: How Attackers Use Brute Ratel (BRC4) >

Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

RDP Recon

RDP Recon
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Remote Desktop Protocol (RDP) is a common method for remote access, allowing users to interact with a system as if they were physically present. However, attackers often use RDP reconnaissance (RDP Recon) to identify available remote desktop services within a network, evaluate potential targets, and determine authentication methods. This detection identifies suspicious behavior related to RDP enumeration, which can indicate an attacker preparing for lateral movement or unauthorized access.

Triggers

  • A host is making multiple RDP connection attempts with most of the connections failing to complete
  • The connection attempts can target one or more RDP servers
  • Even when a single RDP server is targeted, multiple accounts may still be involved in the encrypted part of the RDP connection setup

Possible Root Causes

  • An attacker is trying to determine the existence of accounts in order to progress to the next step in the attack
  • The attacker is working through a list of accounts with well-known default passwords in an attempt to find a working account/password combination
  • This host is a jump server and several users are unsuccessfully attempting to RDP to other servers from it

Business Impact

  • A scan via RDP is an effective way for an attacker to determine what accounts are available inside an organization’s network and which RDP servers accept logins via the accounts
  • If one of the targets has not been normally accessed via RDP, the nature of the target server will provide additional guidance regarding the potential business impact
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

  • Inquire whether the target of the RDP connection attempts should even be setup to accept RDP connections
  • Inquire whether this host should be initiating the number of RDP connections to the targets listed in the detection
  • If this host is a jump server, retrieve the logs of the jump server to see what upstream connections are the originators of the large number of failed RDP connections
RDP Recon

Possible root causes

Malicious Detection

Attackers use RDP reconnaissance to identify accessible remote desktop services within a network. Once they locate an RDP-enabled system, they may attempt brute-force authentication, exploit vulnerabilities, or use stolen credentials to gain unauthorized access. Successful exploitation of RDP can provide direct control over a compromised system, allowing an attacker to move laterally, exfiltrate data, or deploy ransomware. This behavior is commonly associated with advanced persistent threats (APTs) and ransomware operators.

Benign Detection

Legitimate administrators may also perform RDP reconnaissance when troubleshooting connectivity issues, verifying system availability, or auditing remote access configurations. Security teams might scan for exposed RDP services to identify misconfigurations or security risks. However, these activities typically originate from known administrative tools and follow expected usage patterns, which differentiate them from malicious reconnaissance.

RDP Recon

Example scenarios

  1. Attacker preparing for lateral movement
    An attacker who has gained initial access to a corporate network scans internal systems to identify which hosts have RDP enabled. They later attempt to use stolen credentials to move laterally.
  2. Administrator performing security assessments
    A security team runs an internal scan to detect exposed RDP services and ensure that only authorized systems have remote access enabled. This legitimate activity is flagged, but investigation confirms it is an approved security task.
RDP Recon

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Unauthorized access risk

Attackers identifying RDP services may gain unauthorized access, leading to potential data theft or system compromise.

Increased risk of ransomware attacks

RDP exploitation is a common entry point for ransomware, enabling attackers to deploy malware and encrypt critical business data.

Compliance and regulatory concerns

Exposed RDP services may violate compliance standards (e.g., PCI DSS, GDPR) if they lack proper access controls and security measures.

RDP Recon

Steps to investigate

Identify the scanning source

Determine which host initiated the RDP reconnaissance and check whether it is a known administrative system or an unexpected source.

Analyze authentication attempts

Review authentication logs to identify failed login attempts, brute-force attempts, or successful logins from suspicious locations.

Correlate with other suspicious activity

Look for additional detections related to lateral movement, privilege escalation, or unauthorized access attempts.

Validate legitimate usage

Confirm with IT and security teams whether the activity is part of a legitimate administrative task or an internal security scan.

RDP Recon

MITRE ATT&CK techniques covered

System Owner/User Discovery

T1033

Remote System Discovery

T1018
RDP Recon

Related detections

External Remote Access

Suspicious Remote Execution

Suspicious Remote Desktop Protocol

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs