rdp_scanning_inside_to_outside

Explanation

The rdp_scanning_inside_to_outside NDM is designed to detect any Microsoft Remote Desktop Protocol (RDP) scanning that originates from inside a network and moves to outside the network.

What to Look For

To examine the results of the rdp_scanning_inside_to_outside Event, customers should look for any indications of RDP scanning originating from inside their network and attempting to move outside. They should investigate any anomalies or suspicious activity on their network related to RDP scanning and take appropriate remedial action.

Related MITRE ATT&CK Categories

Discovery: Network Service Discovery, Technique T1046 - Enterprise

Reconnaissance: Active Scanning, Technique T1595 - Enterprise