Jump to content

Found RDP Intrusion Detection - Now what?

ChrisLombaard

By ChrisLombaard
in Malwarebytes Nebula

 Share

Recommended Posts

ChrisLombaard

ChrisLombaard

Posted
Posted

Hi,

Found out there were a few RDP Intrusion Detections on one of the web servers.  In trying  to understand what to do about it, I clicked on the detection name RDP Intrusion Detection and was take to https://blog.malwarebytes.com/detections/rdp-intrusion-detection/ that redirects to https://blog.malwarebytes.com/detections/.

But there is no information there.

Struggling to find out if this detection is a cause for alarm and if my server was compromised.  The detection was not continous from one IP, and show up about 8 times over the course of a few weeks.

 

When will a RDP Intrusion Detection be detected.  Can it happen if I don't use the correct password when trying to connect from another server in the same local network or is it always malicious?

 

PS: My first post so I could have missed some information that is important?

Link to post
Share on other sites
kaizen

kaizen

Posted
Posted

Hello Chris,

Thank you for reaching out to us for more information regarding the RDP Intrusion Detections.  This alert is created by the Brute Force Protection setting within your Nebula policy.  With Brute Force Protection enabled, the default setting is "monitor mode" which will trigger a Remote Intrusion Detection when your Windows Remote Desktop (RDP) sees 5 failed attempts within 5 minutes from the same IP address.

You can learn more about Brute Force Protection here:
https://support.malwarebytes.com/hc/en-us/articles/360056829274-Configure-Brute-Force-Protection-in-Malwarebytes-Nebula

Monitor mode will give you a general idea of the number of failed login attempts you are seeing, and help you identify if your RDP is under a attack from a Brute Force attempt.  Switching to Block Mode will enable the Windows Firewall and block the offending IP for the time you set within the policy.  Before enabling Block Mode, I would suggest first enabling Windows Firewall on your devices to ensure it's compatible with your current configuration and add any Allow rules as needed to the Windows Firewall.  Once you are confident Windows Firewall is working properly, you can enable Block Mode and Malwarebytes will create temporary Windows Firewall rules to block the IPs that are attempting to Brute Force for the time you specified within the policy.

You can also read more about hardening your RDP security in our article below, such as moving RDP behind a VPN, using a 3rd party remote access service, etc.
https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

Thanks again,

 

Link to post
Share on other sites
ChrisLombaard

ChrisLombaard

Posted
  • Author
Posted
1 hour ago, kaizen said:

Hello Chris,

Thank you for reaching out to us for more information regarding the RDP Intrusion Detections.  This alert is created by the Brute Force Protection setting within your Nebula policy.  With Brute Force Protection enabled, the default setting is "monitor mode" which will trigger a Remote Intrusion Detection when your Windows Remote Desktop (RDP) sees 5 failed attempts within 5 minutes from the same IP address.

You can learn more about Brute Force Protection here:
https://support.malwarebytes.com/hc/en-us/articles/360056829274-Configure-Brute-Force-Protection-in-Malwarebytes-Nebula

Monitor mode will give you a general idea of the number of failed login attempts you are seeing, and help you identify if your RDP is under a attack from a Brute Force attempt.  Switching to Block Mode will enable the Windows Firewall and block the offending IP for the time you set within the policy.  Before enabling Block Mode, I would suggest first enabling Windows Firewall on your devices to ensure it's compatible with your current configuration and add any Allow rules as needed to the Windows Firewall.  Once you are confident Windows Firewall is working properly, you can enable Block Mode and Malwarebytes will create temporary Windows Firewall rules to block the IPs that are attempting to Brute Force for the time you specified within the policy.

You can also read more about hardening your RDP security in our article below, such as moving RDP behind a VPN, using a 3rd party remote access service, etc.
https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

Thanks again,

 

Hi @kaizen,

Will have a look thank you.  We are already behind VPN and firewall, so I'll need to investigate further.  It is showing that it originated from one server to another server on the same local network.  We do from time to time connect between the server showing up on the location of the detection summary to the end point being referred.

Is my understanding then correct that the RDP Intrusion detection only tells us that someone unsuccessfully provided credentials 5 times in 5 minutes?  How do I know if a RDP connection was made or not. Is it stored in a Windows Event Log?   Just need guidance on checking if someone did get in as we don't observer any other alerts on Malware or suspicious activity on the Endpoint in question.

Kind Regards,

Chris Lombaard

 

Link to post
Share on other sites
kaizen

kaizen

Posted
Posted

Hello Chris,

You're very welcome!  I'm glad to hear your RDP is already behind a VPN and not directly-accessible from the internet.  

LAN to LAN failed login attempts do show up as well unless you check the box to 'Prevent private network connections from being blocked'.  

To learn more about these attempts, as well as if and when a successful connection was made, you'll need to review the Terminal Services Operational Logs in the Windows Event Viewer.
https://superuser.com/questions/409099/is-there-a-log-file-for-rdp-connections

Thanks again,

Link to post
Share on other sites
  • 1 year later...
HectorDiaz25

HectorDiaz25

Posted
Posted

Hello

I recently installed Malwarebytes on a domain controller in my home test environment. Since the day of the install I have been getting the same RDP intrusions has mentioned by Chris. However, I cannot identify legitimate RDP sessions in logs, services calling out to port 3389, or individuals logged in during the times of the RDP intrusion detection times. Any thoughts on what could be going on or is this just false positives being thrown out due to a corrupt install? 

Thanks,

Hector

Link to post
Share on other sites
HectorDiaz25

HectorDiaz25

Posted
Posted

Hello

I recently installed Malwarebytes on a domain controller in my home test environment. Since the day of the install I have been getting the same RDP intrusions has mentioned by Chris. However, I cannot identify legitimate RDP sessions in logs, services calling out to port 3389, or individuals logged in during the times of the RDP intrusion detection times. Any thoughts on what could be going on or is this just false positives being thrown out due to a corrupt install? 

 

@ChrisLombaard Was there a resolve to this issue?

Thanks,

Hector

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.