msrdp

Explanation

A Microsoft Remote Desktop Protocol (RDP) reflection attack is a type of DDoS attack where the attacker sends a forged packet to an open RDP server that causes it to send a large amount of traffic to a target. This traffic overwhelms the target's network, causing it to crash.

What to Look For

When examining the results of the msrdp event, look for any indications of a malicious actor attempting to send forged packets to an open RDP server. This can include a high volume of traffic from a single IP address, as well as packets with unusual characteristics or payloads. Endpoint analysis should focus on any anomalous behavior from RDP clients or abnormal network traffic from the affected device. Remediation measures may include blocking the offending IP address or disabling the RDP service on the targeted device.

Related MITRE ATT&CK Categories

• Remote System Discovery, Technique T1018 - Enterprise
• Remote Services, Technique T1021 - Enterprise
• Network Service Discovery, Technique T1046 - Enterprise
• Network Denial of Service, Technique T1498 - Enterprise
• Active Scanning, Technique T1595 - Enterprise