rdp_scanning_internal

Explanation

The rdp_scanning_internal event is triggered when there are attempted RDP scans on the Microsoft network. This occurs when a large number of RDP requests are sent in a short period of time. It indicates that someone is trying to identify potential targets for a future cyber attack.

What to Look For

To examine the results of the rdp_scanning_internal event, look for any suspicious RDP activity in your network logs. It may be beneficial to investigate the source of the scanning and take appropriate action to secure your network against future attacks.

Related MITRE ATT&CK Categories

Remote Services, Technique T1021 - Enterprise

System Owner/User Discovery, Technique T1033 - Enterprise

Brute Force, Technique T1110 - Enterprise

Network Denial of Service, Technique T1498 - Enterprise

Endpoint Denial of Service, Technique T1499 - Enterprise