RDP brute-force attacks have lifespan of 2-3 days on average: Microsoft study

  • Across all enterprises analyzed over several months, on average about 1 machine was detected with a high probability of being compromised.
  • RDP attacks use combinations of usernames and passwords that have been leaked online after breaches or, are simplistic in nature and easy to guess.

Microsoft’s study into the impact of Remote Desktop Protocol (RDP) brute-force attacks on the enterprise sector revealed that such attacks last 2-3 days on average.

RDP is a secure network communications protocol (developed by Microsoft) for remote management and remote access to another computer over a network connection via the computer's public IP address and port 3389.

Founding from research

For the study, Microsoft allegedly collected data from more than 45,000 workstations running Microsoft Defender Advanced Threat Protection.

  • Around 0.08 percent of Remote Desktop Protocol (RDP) brute-force attacks are successful.
  • RDP brute-force attacks last 2-3 days on average, with about 90% of cases lasting for one week or less. And, less than 5% lasting for two weeks or more.
  • Across all enterprises analyzed over several months, on average about 1 machine was detected with a high probability of being compromised.

As per the firm, the attacks were lasting for days—rather than hours—importantly due to attackers slyness to avoid IPs banned by firewalls; they were trying only a few combinations per hour.

How hacker would exploit RDP?

Enterprise often involve RDP to enable system administrators to manage servers and workstations in remote locations.

  • Miscreants, over the past few years, have been launching attacks against Windows systems with open RDP ports.
  • The tech giant found that the hackers use automated tools that cycles through as many combinations of multiple username and password combinations in an attempt to guess the target computer's RDP login credentials.
  • In most of the cases, RDP attacks use combinations of usernames and passwords that have been leaked online after breaches or, are simplistic in nature and easy to guess.

Takeaway from the study

Microsoft notes that successful brute force attempts are not uncommon. Hence, closely monitoring suspicious connections and unusual failed sign-ins can save one from such attacks.

For this, Microsoft recommends the inclusion of following signals in detecting RDP inbound brute force attacks:

  • Hour of day and day of week of failed sign-in and RDP connections
  • Timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • Cumulative count of distinct username that failed to sign in without success
  • Count (and cumulative count) of failed sign-ins
  • Count (and cumulative count) of RDP inbound external IP
  • Count of other machines having RDP inbound connections from one or more of the same IP