Honeypot RDP Scanner Events Report

LAST UPDATED: 2023-07-04

This report identifies hosts that have been observed performing Remote Desktop Protocol (RDP) scanning activity, including exploitation attempts.

Misconfigured RDP can allow attackers access to the desktop of a vulnerable host and can also allow for information-gathering on a target host, as the SSL certificate used by RDP often contains the system’s trivial hostname.

If you receive a report of RDP scanning (or exploitation attempts) please investigate the scanning IP – it may be compromised.

You can track RDP scanning activities as observed in our honeypots on our Dashboard, by selecting source honeypot and tag rdp-scan. For example – https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=honeypot&tag=rdp-scan&group_by=geo&style=stacked

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Filename: event4_honeypot_rdp_scan

 

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • session_tags
    Array of additional tags describing attack characteristics,
  • vulnerability_enum
    Vulnerability or exploit schema being used, for example CVE or EDB
  • vulnerability_id
    Id of vulnerability or exploit, for example CVE-2020-5902
  • vulnerability_class
    If set, then CVSS
  • vulnerability_score
    CVSS base score
  • vulnerability_severity
    CVSS severity, for example, CRITICAL or HIGH
  • vulnerability_version
    CVSS version of framework used, for example 3.1 or 3.0
  • threat_framework
    Set to MITRE ATT&CK
  • threat_tactic_id
    Array of tactic ids, example TA0001;TA0002
  • threat_technique_id
    Array of technique ids, example T1190;T1059
  • target_vendor
    Vendor that is being targeted, example Linksys
  • target_product
    Product that is being targeted, example Linksys E-Series
  • target_class
    Class of device/software being targeted, for example router
  • cookie
    RDP cookie

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","vulnerability_enum","vulnerability_id","vulnerability_class","vulnerability_score","vulnerability_severity","vulnerability_version","threat_framework","threat_tactic_id","threat_technique_id","target_vendor","target_product","target_class","cookie"
"2010-02-10 00:00:00",tcp,192.168.0.1,64933,64512,ZZ,Region,City,node01.example.com,0,,,,,172.16.0.1,5904,65534,ZZ,Region,City,node01.example.net,0,"Communications, Service Provider, and Hosting Service",,rdp-scan,,,rdp,,,,,,,,,,,,,,,Administr
"2010-02-10 00:00:01",tcp,192.168.0.2,63518,64512,ZZ,Region,City,node02.example.com,0,"Public Administration",,,,172.16.0.2,2323,65534,ZZ,Region,City,node02.example.net,0,,,rdp-scan,,,rdp,,,,,,,,,,,,,,,Administr
"2010-02-10 00:00:02",tcp,192.168.0.3,65000,64512,ZZ,Region,City,node03.example.com,0,"Public Administration",,,,172.16.0.3,61120,65534,ZZ,Region,City,node03.example.net,0,"Communications, Service Provider, and Hosting Service",,rdp-scan,,,rdp,,,,,,,,,,,,,,,Administr

Our 118 Report Types