rdp_scanning_inside_to_outside

Explanation

The rdp_scanning_inside_to_outside NDM is designed to detect any Microsoft Remote Desktop Protocol (RDP) scanning that originates from inside a network and moves to outside the network.

What to Look For

To examine the results of the rdp_scanning_inside_to_outside Event, customers should look for any indications of RDP scanning originating from inside their network and attempting to move outside. They should investigate any anomalies or suspicious activity on their network related to RDP scanning and take appropriate remedial action.

Related MITRE ATT&CK Categories

Remote Services, Technique T1021 - Enterprise

System Owner/User Discovery, Technique T1033 - Enterprise

Brute Force, Technique T1110 - Enterprise

Network Denial of Service, Technique T1498 - Enterprise

Endpoint Denial of Service, Technique T1499 - Enterprise