Microsoft: RDP brute-force attacks last 2-3 days on average

Microsoft publishes insights into RDP brute-force attacks from months-long 45,000 PC study.
Written by Catalin Cimpanu, Contributor

Around 0.08% of RDP brute-force attacks are successful, and RDP brute-force attacks last 2-3 days on average, Microsoft said last month while presenting the results of a months-long study into the impact of RDP brute-force attacks on the enterprise sector.

For the study, Microsoft said it collected data on RDP login-related events from more than 45,000 workstations running Microsoft Defender Advanced Threat Protection, the commercial version of its free Defender antivirus app.

The data was gathered across several months, and involved collecting details about both failed and successful RDP login events, -- these are Windows events with ID 4265 and 4264, respectively -- along with the usernames a user/attacker might have used.

RDP stands for Remote Desktop Protocol. It is a feature of the Windows operating system that allows users to log into a remote computer using a desktop-like interface via the computer's public IP address and port 3389.

RDP is often used in enterprise environments to allow system administrators to manage servers and workstations in remote locations, or by the employee themselves, while away from their offices and desks.

Over the past few years, miscreants have mounted attacks against Windows systems with open RDP ports. During brute-force attacks, hackers use automated tools that cycle through multiple username and password combinations, in an attempt to guess the target computer's RDP login credentials.

Usually, these attacks use combinations of usernames and passwords that have been leaked online after breaches at various online services, or are simplistic in nature, and easy to guess.

Microsoft says that the RDP brute-force attacks it recently observed last 2-3 days on average, with about 90% of cases lasting for one week or less, and less than 5% lasting for two weeks or more.

The attacks lasted days rather than hours because attackers were trying to avoid getting their attack IPs banned by firewalls.

Rather than try hundreds or thousands of login combos at a time, they were trying only a few combinations per hour, prolonging the attack across days, at a much slower pace than RDP brute-force attacks have been observed before.

"Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised," Microsoft said.

"Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days," the Microsoft research team added.

"A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it's critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events."

For this, Microsoft recommends that system administrators combine and monitor multiple signals for detecting RDP inbound brute force traffic on a machine. According to Microsoft, such signals should include:

  • hour of day and day of week of failed sign-in and RDP connections
  • timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • cumulative count of distinct username that failed to sign in without success
  • count (and cumulative count) of failed sign-ins
  • count (and cumulative count) of RDP inbound external IP
  • count of other machines having RDP inbound connections from one or more of the same IP

2019's tech, security, and authentication trends

Editorial standards