LAST UPDATED: 2023-07-04
This report identifies hosts that have been observed performing Remote Desktop Protocol (RDP) scanning activity, including exploitation attempts.
Misconfigured RDP can allow attackers access to the desktop of a vulnerable host and can also allow for information-gathering on a target host, as the SSL certificate used by RDP often contains the system’s trivial hostname.
If you receive a report of RDP scanning (or exploitation attempts) please investigate the scanning IP – it may be compromised.
You can track RDP scanning activities as observed in our honeypots on our Dashboard, by selecting source honeypot and tag rdp-scan. For example – https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=honeypot&tag=rdp-scan&group_by=geo&style=stacked
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
Filename: event4_honeypot_rdp_scan