Door op ‘Alle cookies accepteren’ te klikken, gaat u akkoord met het opslaan van cookies op uw apparaat om de sitenavigatie te verbeteren, het sitegebruik te analyseren en te helpen bij onze marketinginspanningen. Bekijk ons privacyverklaring voor meer informatie.
VoorkeurenNeeAccepteer
RDP from a hackers perspective
February 19, 2025
READING TIME
4
MINUTen

RDP from a hackers perspective

Remote Desktop Protocol (RDP) is one of the most widely used remote access solutions in enterprise environments. It enables system administrators and employees to manage machines and perform operational tasks remotely. This makes RDP a powerful tool for IT management and remote work, but also a frequently exploited attack vector for threat actors. RDP is often misconfigured, making it relatively easy for attackers to exploit vulnerabilities, weak authentication mechanisms, or public exposure.

Why Hackers Love RDP

RDP runs by default on port 3389, a port often exposed to the internet without proper access restrictions. This makes it a prime target for attackers using brute force attacks, credential stuffing, or exploit based compromises.

  • Direct access to critical systems: A compromised RDP session provides immediate interaction with the system, including access to sensitive data, administrative privileges, and lateral movement opportunities.
  • Credential reuse and brute-force attacks: Organizations often apply weak password policies or reuse credentials, allowing attackers to leverage stolen credentials from previous breaches.
  • Lateral movement and privilege escalation: Once inside the network, RDP can be used to pivot to other systems and escalate privileges.
  • Ransomware distribution: Threat groups like Ryuk, Conti, and REvil have used RDP to automate the deployment of ransomware across entire IT infrastructures.

Some organizations believe that changing the default RDP port increases security. In reality, it offers no real protection. Modern scanning tools like Nmap, Masscan, and Shodan easily detect which ports are handling RDP traffic, regardless of the port number. While it may reduce visibility in basic scans, it offers zero resistance against targeted attacks.

True RDP Protection Requires:

  • Network Level Authentication (NLA): To block unauthenticated sessions before login attempts occur.
  • IP whitelisting and firewall restrictions: To ensure RDP traffic only comes from authorized sources.
  • VPN or Zero Trust Network Access (ZTNA): To enforce secure, authenticated access paths.

Critical RDP Vulnerabilities and Exploits

Over the years, RDP has been subject to several critical vulnerabilities actively exploited in the wild:

  • CVE-2019-0708 (“BlueKeep”): A pre-authentication remote code execution (RCE) vulnerability that enables full compromise of unpatched RDP servers with no user interaction.
  • CVE-2020-0609 & CVE-2020-0610 (“DejaBlue”): RCE vulnerabilities in modern Windows versions allowing unauthenticated attackers to execute code remotely.

These cases highlight the importance of timely patching, strong network segmentation, and minimizing external exposure.

The Role of EDR in RDP Protection

Endpoint Detection and Response (EDR) plays a critical role in defending against RDP-based attacks. Unlike traditional antivirus, EDR continuously monitors for behavioral anomalies, detects suspicious RDP activity, and can respond to attacks in real time.

Key EDR capabilities for securing RDP:

  • Brute-force attack detection: Identifying repeated failed login attempts indicative of automated attacks.
  • Lateral movement monitoring: Detecting unauthorized internal RDP sessions—a common tactic in ransomware operations.
  • Process behavior analysis: Identifying suspicious post-authentication activity such as PowerShell execution, Mimikatz use, or malware deployment.
  • Automated isolation and blocking: Instantly isolating compromised endpoints or dynamically revoking RDP access in real-time upon detection.

Modern EDR solutions also leverage threat intelligence feeds to proactively block known attacker TTPs (tactics, techniques, and procedures). When combined with Zero Trust Network Access (ZTNA), Multi-Factor Authentication (MFA), and behavior-based monitoring, organizations can significantly reduce the risk posed by RDP.

Conclusion

RDP is a powerful but inherently risky tool. Organizations that deploy RDP without proper security controls face heightened risk of ransomware infections, data breaches, and lateral network compromise. Superficial mitigations, like changing the default port, offer no real security benefits. Instead, a solid approach involving network segmentation, strong authentication, patch management, and advanced detection mechanisms is required to effectively block modern threats.

Additionally, regulatory frameworks such as NIS2 and DORA are placing increasing demands on access control and incident response. Misconfigurations in RDP not only increase the likelihood of breaches but also expose organizations to compliance fines and reputational damage.

At DeepBlue Security & Intelligence, we help organizations test and reduce their external attack surface, identify vulnerabilities, and implement robust, modern cybersecurity strategies. Always based on the latest techniques and most advanced TTPs.

Want to know more? We’re happy to help design a cybersecurity solution that’s truly future proof.

www.deepbluesecurity.nl | info@deepbluesecurity.nl | +31 (0)70 800 2025

NEDERLANDSE VERSIE
Back to Resources

Ready to start?

When it comes to cyber security, we are your best choice

Contact