rdp_scanning_internal
Explanation
The rdp_scanning_internal event is triggered when there are attempted RDP scans on the Microsoft network. This occurs when a large number of RDP requests are sent in a short period of time. It indicates that someone is trying to identify potential targets for a future cyber attack.
What to Look For
To examine the results of the rdp_scanning_internal event, look for any suspicious RDP activity in your network logs. It may be beneficial to investigate the source of the scanning and take appropriate action to secure your network against future attacks.
Related MITRE ATT&CK Categories
Remote Services, Technique T1021 - Enterprise
System Owner/User Discovery, Technique T1033 - Enterprise
Brute Force, Technique T1110 - Enterprise
Updated 4 days ago