Docs

rdp_internal_external

Suggest Edits

Explanation

This NDM is designed to detect successful RDP connections that cross from the internal network to the external network. It triggers when an RDP connection is successfully established from inside the network and crosses over to the external network.

What to Look For

When examining the results of this NDM Event, look for successful RDP connections that originate from inside the network and connect to machines located outside the network. These connections may indicate a potential security breach as internal systems are being accessed from outside the network. It is recommended to investigate the source of the RDP connection and take appropriate actions to prevent unauthorized access to your network.

Related MITRE ATT&CK Categories

Lateral Movement: Remote Services, Technique T1021 - Enterprise

Exfiltration: Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise

Initial Access, Persistence: External Remote Services, Technique T1133 - Enterprise

Updated 23 days ago