The Remote Desktop Protocol (RDP) is one of the most popular communication protocols for remotely controlling systems. RDP comes with all current Windows operating systems, and its graphical user interface makes it an easy-to-use remote access tool. In addition, Microsoft positions it as the default method to manage Azure virtual machines running Windows.
It didn’t take long before attackers realized this is a golden egg. Instead of attempting to abuse a vulnerability with no guaranteed success, they realized it’s far more efficient to use the remote access tools there for the taking. They just need to obtain the correct credentials to gain access. As it happens, according to a recent X-Force report, stolen credentials to access these systems are part of a lucrative market on the dark web.
These directly exposed servers are not the only systems where attackers use (or rather abuse) RDP. One of their objectives is to blend in with regular traffic. Because RDP is such a popular protocol, attackers use it to move to other systems once they gained access.

What Is RDP and Who Uses It?

Before we jump to RDP risks and defenses, it’s good to know how it works. RDP is a two-way communication protocol. It can:
  • Transfer the screen output of the server to the client
  • Transfer the keyboard and mouse input from the client to the server.
This process is asymmetric. While most of the data comes from the server to the client, the client transfers little data back. The client and the server have to go through a number of phases before setting up communication. After a client starts the connection, it agrees with the server on usage settings (for example, screen resolution), supported capabilities and license information. They then agree on the type of RDP security, choosing from two supported modes:
  • Standard, based on RC4
  • Enhanced, where RDP relies on other protocols such as TLS or CredSSP.

Finally, they have to agree on the number of channels required. Channels are individual data streams, each with their own ID, that make up the remote desktop protocol. Such channels can redirect access to the file system or enable clipboard sharing between client and server.

Vulnerabilities in RDP: BlueKeep

Researchers in 2019 found a crucial vulnerability, dubbed BlueKeep, in this concept of channels. Exploiting the vulnerability (CVE-2019-0708) leads to the remote execution of random code, without any user doing anything. On top of that, it did not require valid credentials. These facts combined could have led to a worm, malware that can propagate itself between vulnerable systems. We witnessed something like this earlier with the WannaCry malware.

To exploit the vulnerability, the client had to request a specific channel name, MS_T120, and then bind it to a channel ID other than 31.

What’s notable about BlueKeep is it attached itself to older Windows systems. This forced Microsoft to take the odd step of making new patches for systems it no longer supported.

Other Luring Vulnerabilities

In August 2019, researchers announced DejaBlue. DejaBlue is not one vulnerability but a list of flaws that, similar to BlueKeep, allow attackers to hijack vulnerable systems without any form of authentication. Unlike BlueKeep, the vulnerabilities of DejaBlue were located in more recent versions of Windows.

Sometimes, attackers do not need to abuse vulnerabilities. They can simply abuse misconfigurations. Some of the common pitfalls with RDP security include:

  • Weak user sign-in credentials
  • Servers where you’re not logging or monitoring RDP logins. These systems allow attackers to attempt brute-force or password spraying attacks at will.
  • Publicly exposed systems without any network filtering.

APT Groups Using RDP

We can also look at MITRE ATT&CK to understand the interest of attackers in RDP and how it is used in their operations.

  • Groups such as APT41, FIN6 and FIN7 use RDP to move laterally
  • Groups such as FLIPSIDE use RDP to exfiltrate information. Ngrok, for example, is a legitimate reverse proxy that can tunnel traffic in RDP to exfiltrate victim data.
  • The WannaCry malware could execute malware in existing remote desktop sessions. This ‘stealing‘ of a session is commonly referred to as RDP hijacking. 


Despite these risks and the interest of attackers, RDP still has a lot of value to offer. There are a number of key elements to consider to protect remote desktop servers.

Patch management is a dead give-away. Keeping your systems up-to-date is always good advice, especially for crucial remote access services.

In most cases, you don’t need to expose RDP to the whole world. You can use a firewall, IP restrictions, limit access via a VPN or use just-in-time-access. The latter greatly reduces the risk and still lets you access the service when you need it.

Ensure that you do not use easy-to-guess passwords for RDP-enabled accounts. Don’t allow remote access to all system users if they don’t need it. In addition, it makes sense to implement some form of automatic account lock-out, preventing attackers from guessing the password via brute-forcing.

You may also want to enable Network Level Authentication or NLA, a mitigation measure to prevent unwanted access to the RDP tunnel.

Monitoring and Forensic Artifacts

Regardless of how secure you make the RDP setup, there will always be a time when attackers attempt to abuse it. That’s when you should rely on logging and monitoring to analyze what is going on. Some of the important sources of forensic artifacts for RDP include:

  • The commands quser, qwinsta and qprocess that give information on RDP users, sessions and processes
  • Microsoft-Windows-Terminal-Services-RemoteConnectionManager and Windows-TerminalServices-LocalSessionManager inform you on client network connections and the start and stop of RDP sessions
  • And finally, Microsoft-Windows-Security-Auditing includes the events for successful or failed authentication attempts.

Manage RDP Risks for Safe Use 

Although there are risks that come with RDP and high interest from attackers in remote access tools, it doesn’t mean you cannot deploy them in a safe and controlled manner. If you take into account the preventive measures and set up sufficient logging and monitoring, you should be good to go.

More from Incident Response

Why Crowdsourced Security is Devastating to Threat Actors

Almost every day, my spouse and I have a conversation about spam. Not the canned meat, but the number of unwelcomed emails and text messages we receive. He gets several nefarious text messages a day, while I maybe get one a week. Phishing emails come in waves — right now, I’m getting daily warnings that my AV software license is about to expire. Blocking or filtering has limited success and, as often as not, flags wanted rather than unwanted messages.…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…