msrdp
Explanation
A Microsoft Remote Desktop Protocol (RDP) reflection attack is a type of DDoS attack where the attacker sends a forged packet to an open RDP server that causes it to send a large amount of traffic to a target. This traffic overwhelms the target's network, causing it to crash.
What to Look For
When examining the results of the msrdp event, look for any indications of a malicious actor attempting to send forged packets to an open RDP server. This can include a high volume of traffic from a single IP address, as well as packets with unusual characteristics or payloads. Endpoint analysis should focus on any anomalous behavior from RDP clients or abnormal network traffic from the affected device. Remediation measures may include blocking the offending IP address or disabling the RDP service on the targeted device.
Related MITRE ATT&CK Categories
Updated 20 days ago