ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)
This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication from an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary has infected an asset.
ID Number
4000753
Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; metadata: former_category SCAN; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:4000753; rev:4; metadata:created_at 2011_08_29, updated_at 2017_05_11;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to limit outbound RDP communications from external networks.