rdp_scanning_internal

Explanation

The rdp_scanning_internal event is triggered when there are attempted RDP scans on the Microsoft network. This occurs when a large number of RDP requests are sent in a short period of time. It indicates that someone is trying to identify potential targets for a future cyber attack.

What to Look For

To examine the results of the rdp_scanning_internal event, look for any suspicious RDP activity in your network logs. It may be beneficial to investigate the source of the scanning and take appropriate action to secure your network against future attacks.

Related MITRE ATT&CK Categories

Discovery: Network Service Discovery, Technique T1046 - Enterprise

Reconnaissance: Active Scanning, Technique T1595 - Enterprise