The Remote Desktop Protocol (RDP) is one of the most popular communication protocols for remotely controlling systems. RDP comes with all current Windows operating systems, and its graphical user interface makes it an easy-to-use remote access tool. In addition, Microsoft positions it as the default method to manage Azure virtual machines running Windows.
It didn’t take long before attackers realized this is a golden egg. Instead of attempting to abuse a vulnerability with no guaranteed success, they realized it’s far more efficient to use the remote access tools there for the taking. They just need to obtain the correct credentials to gain access. As it happens, according to a recent X-Force report, stolen credentials to access these systems are part of a lucrative market on the dark web.
These directly exposed servers are not the only systems where attackers use (or rather abuse) RDP. One of their objectives is to blend in with regular traffic. Because RDP is such a popular protocol, attackers use it to move to other systems once they gained access.

What Is RDP and Who Uses It?

Before we jump to RDP risks and defenses, it’s good to know how it works. RDP is a two-way communication protocol. It can:
  • Transfer the screen output of the server to the client
  • Transfer the keyboard and mouse input from the client to the server.
This process is asymmetric. While most of the data comes from the server to the client, the client transfers little data back. The client and the server have to go through a number of phases before setting up communication. After a client starts the connection, it agrees with the server on usage settings (for example, screen resolution), supported capabilities and license information. They then agree on the type of RDP security, choosing from two supported modes:
  • Standard, based on RC4
  • Enhanced, where RDP relies on other protocols such as TLS or CredSSP.

Finally, they have to agree on the number of channels required. Channels are individual data streams, each with their own ID, that make up the remote desktop protocol. Such channels can redirect access to the file system or enable clipboard sharing between client and server.

Vulnerabilities in RDP: BlueKeep

Researchers in 2019 found a crucial vulnerability, dubbed BlueKeep, in this concept of channels. Exploiting the vulnerability (CVE-2019-0708) leads to the remote execution of random code, without any user doing anything. On top of that, it did not require valid credentials. These facts combined could have led to a worm, malware that can propagate itself between vulnerable systems. We witnessed something like this earlier with the WannaCry malware.

To exploit the vulnerability, the client had to request a specific channel name, MS_T120, and then bind it to a channel ID other than 31.

What’s notable about BlueKeep is it attached itself to older Windows systems. This forced Microsoft to take the odd step of making new patches for systems it no longer supported.

Other Luring Vulnerabilities

In August 2019, researchers announced DejaBlue. DejaBlue is not one vulnerability but a list of flaws that, similar to BlueKeep, allow attackers to hijack vulnerable systems without any form of authentication. Unlike BlueKeep, the vulnerabilities of DejaBlue were located in more recent versions of Windows.

Sometimes, attackers do not need to abuse vulnerabilities. They can simply abuse misconfigurations. Some of the common pitfalls with RDP security include:

  • Weak user sign-in credentials
  • Servers where you’re not logging or monitoring RDP logins. These systems allow attackers to attempt brute-force or password spraying attacks at will.
  • Publicly exposed systems without any network filtering.

APT Groups Using RDP

We can also look at MITRE ATT&CK to understand the interest of attackers in RDP and how it is used in their operations.

  • Groups such as APT41, FIN6 and FIN7 use RDP to move laterally
  • Groups such as FLIPSIDE use RDP to exfiltrate information. Ngrok, for example, is a legitimate reverse proxy that can tunnel traffic in RDP to exfiltrate victim data.
  • The WannaCry malware could execute malware in existing remote desktop sessions. This ‘stealing‘ of a session is commonly referred to as RDP hijacking. 


Despite these risks and the interest of attackers, RDP still has a lot of value to offer. There are a number of key elements to consider to protect remote desktop servers.

Patch management is a dead give-away. Keeping your systems up-to-date is always good advice, especially for crucial remote access services.

In most cases, you don’t need to expose RDP to the whole world. You can use a firewall, IP restrictions, limit access via a VPN or use just-in-time-access. The latter greatly reduces the risk and still lets you access the service when you need it.

Ensure that you do not use easy-to-guess passwords for RDP-enabled accounts. Don’t allow remote access to all system users if they don’t need it. In addition, it makes sense to implement some form of automatic account lock-out, preventing attackers from guessing the password via brute-forcing.

You may also want to enable Network Level Authentication or NLA, a mitigation measure to prevent unwanted access to the RDP tunnel.

Monitoring and Forensic Artifacts

Regardless of how secure you make the RDP setup, there will always be a time when attackers attempt to abuse it. That’s when you should rely on logging and monitoring to analyze what is going on. Some of the important sources of forensic artifacts for RDP include:

  • The commands quser, qwinsta and qprocess that give information on RDP users, sessions and processes
  • Microsoft-Windows-Terminal-Services-RemoteConnectionManager and Windows-TerminalServices-LocalSessionManager inform you on client network connections and the start and stop of RDP sessions
  • And finally, Microsoft-Windows-Security-Auditing includes the events for successful or failed authentication attempts.

Manage RDP Risks for Safe Use 

Although there are risks that come with RDP and high interest from attackers in remote access tools, it doesn’t mean you cannot deploy them in a safe and controlled manner. If you take into account the preventive measures and set up sufficient logging and monitoring, you should be good to go.

More from Incident Response

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read

The Important Role of SOAR in Cybersecurity

4 min read - Understaffed security teams need all the help they can get, and they are finding that help through SOAR. SOAR — security orchestration, automation and response — is defined by Gartner as the “technologies that enable organizations to collect inputs monitored by the security operations team.” Gartner identifies a SOAR platform’s three prime functionalities: Threat and vulnerability management, security operations automation and incident response. The number of threats coming across the network and endpoints each day overwhelms most organizations. Adding SOAR…

4 min read