Defender for Endpoint Adds Remote Desktop Hunting Signals

• RDP-based connections are increasingly compromised by bad actors to attack and perform lateral movement within organizations.
• Defender for Endpoint now aggregates additional data from Windows endpoints that can help identify RDP-based attacks and begin addressing them.
• Organizations need to have hunting procedures in place for this to be useful, as it is a hunting tool, not an “as-is” automatic alerting tool.

The Remote Desktop Protocol (RDP) is the underlying communication infrastructure used to enable remote access to a Windows instance. RDP underlies Remote Desktop Services (RDS) on Windows Server and Remote Desktop on Windows Pro and Enterprise. Since 2020, attacks on Windows systems via RDP connectivity have increased dramatically, likely due to increased use of RDP due to remote work during the pandemic. While this increase has slowed, it has not stopped. To help detect and address RDP-based attacks, Microsoft Defender for Endpoint (MDE) now aggregates new signal data from protected endpoints. This enables use of Defender’s hunting tools to readily identify whether an incident involving a Windows sign-in was an attack over RDP or on the physical device itself.