ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)
This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication to an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary is scanning the network for devices to connect to remotely.
ID Number
4000748
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:4000748; rev:19; metadata:created_at 2010_07_30, updated_at 2017_05_11;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to limit inbound RDP communications from external networks.