Researchers from Microsoft have analyzed several months’ worth of data to investigate RDP brute force attacks occurring across Microsoft Defender ATP customers. The study involved 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in.
The experts discovered that, on average, several hundred machines per day had a high probability of being targeted by RDP brute force attack attempts.
The experts noticed that the brute force attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.
Around 0.08% of RDP brute-force attacks are successful, and RDP brute-force attacks last 2-3 days on average.
The experts collected details about both failed and successful RDP login events, these events are coded with ID 4265 and 4264, respectively. Researchers also collected the
In the attempt to remain under the radar, the attacks lasted days rather than hours, this means that attackers only try a few combinations per hour in each day.
“Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised.” continues the report.
“Furthermore, across all enterprises analyzed over several months, on
According to Microsoft, The Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from
Microsoft experts recommend using multiple indicators for detecting RDP inbound brute force traffic on a machine, such as:
“Monitoring suspicious activity in failed