Microsoft published an interesting analysis of RDP brute-force attacks that targeted the 45,000 have analyzed in months of study.

Researchers from Microsoft have analyzed several months’ worth of data to investigate RDP brute force attacks occurring across Microsoft Defender ATP customers. The study involved 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in.

The experts discovered that, on average, several hundred machines per day had a high probability of being targeted by RDP brute force attack attempts.

The experts noticed that the brute force attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Around 0.08% of RDP brute-force attacks are successful, and RDP brute-force attacks last 2-3 days on average.

The experts collected details about both failed and successful RDP login events, these events are coded with ID 4265 and 4264, respectively. Researchers also collected the usernames a user/attacker might have used.

In the attempt to remain under the radar, the attacks lasted days rather than hours, this means that attackers only try a few combinations per hour in each day.

“Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised.” continues the report.

“Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days.”

According to Microsoft, The Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Microsoft experts recommend using multiple indicators for detecting RDP inbound brute force traffic on a machine, such as:

hour of day and day of week of failed sign-in and RDP connections

timing of successful sign-in following failed attempts

Event ID 4625 login type (filtered to network and remote interactive)

Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)

cumulative count of distinct username that failed to sign in without success

count (and cumulative count) of failed sign-ins

count (and cumulative count) of RDP inbound external IP

count of other machines having RDP inbound connections from one or more of the same IP

“Monitoring suspicious activity in failed sign-ins and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution.” concludes Microsoft.

Pierluigi Paganini