Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

New Blog | Detect suspicious processes running on hidden desktops

Microsoft

By Saar Cohen

 

With ransomware campaigns continuing to grow, they remain top of mind for security leaders. Across these sophisticated cyberattacks, the use of remote desktop protocol (RDP) compromise has reached record levels, making it even more critical to provide analysts with full visibility into potentially malicious RDP session use.  

 

That’s why today we are excited to announce a new way to identify potentially compromised devices in your organization via the new ‘DesktopName’ field in Defender for Endpoint, which enables analysts to easily detect, investigate, and hunt for suspicious interactive process executed on so called ‘hidden desktops’.  

 

The importance to RDP 
 
A remote desktop session over RDP (Remote Desktop Protocol) provides users with access to connect remotely to endpoints and is often leveraged as the entry point for attackers to access a target machine. RDP however, introduces some undesirable disadvantages for the attacker.  
 
For example, Windows by default only allows for a single remote RDP session which can cause detectable friction as both the legitimate user and the attacker begin vying for interactivity on the same device. To mitigate this, attackers may opt for other Remote Monitoring and Management (RMM) approaches as described in the examples below. 

 

Read the full post here: Detect suspicious processes running on hidden desktops

0 Replies