Introduction

RDP remains one of the top techniques used by threat actors to exploit environments. Field Effect MDR offers an ARO your organization can opt into that reports on observed Windows Remote Desktop Protocol (RDP) sessions.

To get the most value from this ARO, an allow list is required. This allowlist helps filter out the "noise" that would be created by users with permission to use RDP. Therefore, this ARO needs to be opted into and an allowlist needs to be provided.

Once you opt-in for this ARO and provide an allowlist, the ARO will be sent to you if we observe any RDP activity taking place that from users that are not allowed to.

Opting In for this ARO

You can opt-in to receive this ARO by making a support request to support@fieldeffect.com. When making you request, include the list of IP addresses (or subnet) that you want added to the allowlist. These devices will not be taken consideration or reported on for this ARO.

Example

Whenever an endpoint device authenticates to an RDP connection, the following ARO will be generated. As will all AROs, it provides a details and description section (shown below), as well as security context, recommendation and resolution content, mitigation step and references. For more on AROs in general, visit our chapter on the topic, as well as The Anatomy of an ARO and Working with AROs.  

With this ARO, you will also be provided with details about the observed connection.