Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Detect compromised RDP sessions with Microsoft Defender for Endpoint

SaarCohen's avatar
SaarCohen
Icon for Microsoft rankMicrosoft
Aug 05, 2024
Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveragi...
Updated Aug 02, 2024
Version 1.0
SaarCohen's avatar
SaarCohen
Icon for Microsoft rankMicrosoft
Oct 29, 2024

Henk_-_Simac_IT_NL, "Suspicious RDP session" alerts are generally not blocked by default unless Automatic Attack Disruption initiates an automated response to mitigate the threat, such as identity containment.

When Automatic Attack Disruption contains an identity, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic for specific attack-related protocols (network logons, RPC, SMB, RDP), terminate ongoing remote sessions, and log off existing RDP connections (including all related processes).

As mentioned, this does not apply to all alerts/incidents, but for those deemed appropriate and considered a high-certainty True Positive, Automatic Attack Disruption will be triggered.

 

You can learn more about Automatic Attack Disruption here: Automatic attack disruption in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn.

And specifically, about user containment here: Take response actions on a device in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

 

Regarding "good mitigation", every alert comes with "Alert recommended actions" section. Like so:

In words:

"1. Isolate the affected devices and investigate to see which credentials were used to launch the process. 2. Since the attacker frequently enters via RDP brute force, check for internet-facing devices with exposed RDP. Ensure that internet-facing systems are hardened and have strong and randomized local admin passwords. 3. Check RDP settings and registry keys on systems to ensure they have not been changed by the attack to maintain persistence. 4. Investigate credential exposure on devices used by the attacker to ensure all accounts that could have been compromised by the attacker are known. Consider these accounts compromised. Reset passwords or decommission the accounts. 5. Search for additional malware backdoors such as reverse proxies on systems accessed by the attacker, on affected devices. 6. Contact your incident response team. If you don't have one, contact Microsoft support for forensic analysis and remediation services."

 

Naturally, the most effective mitigation strategy will vary based on the specific threat and context. While the recommendations provided above may not be universally applicable, they are intended to guide you in the right direction.

Hope that helps.