rdp_external_internal

Explanation

The rdp_external_internal NDM monitors successful RDP connections from external sources to the network. This event helps to identify potential unauthorized access and data theft through RDP connections.

What to Look For

To analyze the rdp_external_internal event, look for successful RDP connections from external sources to the network. Check for any unusual network activity or attempts to access sensitive data through RDP connections. This activity may be associated with a login brute force attack, so it’s important to use strong passwords and restrict access from the Internet as much as possible.

Related MITRE ATT&CK Categories

Remote Services, Techniques T1021

Exfiltration Over Alternative Protocol, Techniques T1048

Ingress Tool Transfer, Techniques T1105