Detecting Malicious RDP Activity: Key Indicators of Compromise (IOCs)

Identifying a potential RDP compromise early can be crucial in minimizing damage and responding effectively. Here are some common IOCs to help detect malicious RDP activity and protect your organization from unauthorized access or attacks.

1. Network Indicators

• Unusual RDP Port Activity: RDP generally operates on TCP/3389. Monitor traffic on this port, especially if it’s accessible from the internet, and check for any unexpected or non-standard port usage, which may indicate attempts to bypass detection.
• IP Addresses from Suspicious Geolocations: Connections from foreign or unexpected IP addresses, particularly those flagged by threat intelligence feeds, can signal an attempted or successful compromise.
• High Volume of RDP Sessions: A high number of RDP sessions within a short timeframe or at unusual hours could indicate brute-force login attempts or lateral movement within your network.
• Failed Login Attempts: Repeated login failures can be a red flag for brute-force attacks. Monitoring these attempts can help identify and block attackers early.

2. File-Based IOCs

• Malicious .rdp Files: Be cautious of unexpected .rdp files with configurations pointing to external IPs or suspicious settings, such as:
• full address with an unknown or external IP.
• redirectdrives:i:1…