RDP brute force attacks are among the most common intrusion attempts against Windows systems. This runbook provides a structured response workflow focused on containment, evidence preservation, and recovery without disrupting production unnecessarily.
Detection Triggers
-
Repeated Event ID 4625 (failed logon)
-
Login attempts from multiple IPs
-
Security alerts from SIEM or firewall
-
Unexpected account lockouts
Scope
-
Windows Server / Windows Workstations
-
RDP exposed internally or externally
-
On-prem or cloud-hosted systems
Phase 1: Initial Triage (SAFE)
Step 1: Confirm Logon Failures
Focus on:
-
Source IP address
-
Target usernames
-
Time patterns
Step 2: Assess Exposure
-
Is RDP internet-facing?
-
Is MFA enabled?
-
Are privileged accounts targeted?
Phase 2: Containment
Step 3: Block Source IPs
If behind a router/firewall, block upstream instead.
Step 4: Enforce Temporary Restrictions
-
Disable RDP externally if possible
-
Increase account lockout sensitivity
-
Monitor for lateral movement attempts
Phase 3: Validation
Confirm no successful logons from attacker IPs.
Phase 4: Recovery
-
Reset affected credentials
-
Enable MFA where supported
-
Restrict RDP access to trusted IP ranges
Leave a Reply