Microsoft report: around 0.08% of RDP brute-force attacks are successful

Microsoft published an interesting analysis of RDP brute-force attacks that targeted the 45,000 have analyzed in months of study.

Researchers from Microsoft have analyzed several months’ worth of data to investigate RDP brute force attacks occurring across Microsoft Defender ATP customers. The study involved 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in.

The experts discovered that, on average, several hundred machines per day had a high probability of being targeted by RDP brute force attack attempts.

The experts noticed that the brute force attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Around 0.08% of RDP brute-force attacks are successful, and RDP brute-force attacks last 2-3 days on average.

The experts collected details about both failed and successful RDP login events, these events are coded with ID 4265 and 4264, respectively. Researchers also collected the usernames a user/attacker might have used.

In the attempt to remain under the radar, the attacks lasted days rather than hours, this means that attackers only try a few combinations per hour in each day.

“Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised.” continues the report.

“Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days.”

According to Microsoft, The Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Microsoft experts recommend using multiple indicators for detecting RDP inbound brute force traffic on a machine, such as:

hour of day and day of week of failed sign-in and RDP connections
timing of successful sign-in following failed attempts
Event ID 4625 login type (filtered to network and remote interactive)
Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
cumulative count of distinct username that failed to sign in without success
count (and cumulative count) of failed sign-ins
count (and cumulative count) of RDP inbound external IP
count of other machines having RDP inbound connections from one or more of the same IP

“Monitoring suspicious activity in failed sign-ins and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution.” concludes Microsoft.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – RDP brute-force attacks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.