{"id":23186,"date":"2023-09-21T07:37:20","date_gmt":"2023-09-21T07:37:20","guid":{"rendered":"https:\/\/www.realvnc.com\/en\/?post_type=blog&#038;p=23186"},"modified":"2023-09-18T16:38:40","modified_gmt":"2023-09-18T16:38:40","slug":"rdp-is-compromised-a-practical-look-threat-actions","status":"publish","type":"blog","link":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/","title":{"rendered":"What goes on when RDP is compromised: A practical look into the threat actions taken"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"23186\" class=\"elementor elementor-23186\" data-elementor-post-type=\"blog\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a1e29d9 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a1e29d9\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6920cbad\" data-id=\"6920cbad\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-21bd283b elementor-widget elementor-widget-text-editor\" data-id=\"21bd283b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>As much as we\u2019d like to think we\u2019re rid of it, externally exposed RDP remains alive and well (for some unknown reason). And that\u2019s a HUGE problem for those organizations that are relying on it.\u00a0 Don\u2019t get me wrong; there\u2019s nothing wrong with using RDP \u2013 it\u2019s the insecure use of RDP (no MFA, no monitoring, older host OSes, one-off exposed systems that everyone forgets about, etc.) that is the creates the risk for the organization.<\/p><p>And it\u2019s such a huge problem that RDP\u2019s misuse by cybercriminals <em>continues to make it into reports<\/em> on the current state of cyberattacks. Take the <a href=\"https:\/\/www.coveware.com\/ransomware-quarterly-reports\">Quarterly Ransomware Reports from ransomware response vendor Coveware<\/a> \u2013 they\u2019ve been continuously covering various stats about the ransomware attacks (including initial attack vectors) that they respond to for their customers <em>since 2018<\/em>.\u00a0 RDP was listed in 2018 as an initial attack vector (it was #1) and it\u2019s still on the board in 2023 just behind email phishing but ahead of vulnerabilities.<\/p><p>So, how is RDP actually used within cyberattacks (ransomware or otherwise)?\u00a0 At a high level, we can look at Sophos\u2019 <a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/23\/active-adversary-for-tech-leaders\/\">2023 Active Adversary Report for Tech Leaders<\/a>, where we get a bit of a deeper breakdown:<\/p><ul><li>RDP played some role in 95% of attacks, up from 88% in 2022<\/li><li>Internal use of RDP was seen in 93% of attacks, with external use seen in 18% of attacks<\/li><li>RDP was used only for internal access and lateral movement in 77% of attacks<\/li><\/ul><p>We can gather from this data that RDP is used as both an initial means of entry into an organization\u2019s network, as well as a means to move laterally within the compromised network. This alone should be enough justification to make you think to yourself \u201cOK \u2013 it\u2019s time to ditch RDP\u201d.<\/p><p>But, what <em>really<\/em> happens when threat actors gain control over an exposed endpoint via RDP?<\/p><p>Generally, we need to speculate based on the end result of an attack and determining of what transpired from forensics evidence. Rather than do that, we now have the results of an unprecedented <a href=\"https:\/\/www.gosecure.net\/blog\/2023\/08\/09\/how-unparalleled-rdp-monitoring-reveal-attackers-tradecraft\/\"><em>three-year long RDP honeypot study<\/em> by security vendor GoSecure<\/a> where <em>more than 20,000 RDP sessions<\/em> were monitored, <em>and 190 million threat actions<\/em> were collected using a custom-built interception tool that recorded over <em>100 hours of RDP session footage, <\/em>in order to answer this question.<\/p><p>\u00a0<\/p><h2>What 5 Types of Threat Actors Do With a Compromised RDP Session<\/h2><p>To make 20,000 sessions worth of threat actions digestible (and, apparently, to express the inner <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dungeons_%26_Dragons\">Dungeons &amp; Dragons<\/a>, or \u201cD&amp;D\u201d nerd within some of us!) the kind folks at GoSecure categorized the activities into 5 types of D&amp;D character classifications:<\/p><ul><li><strong>Rangers<\/strong> \u2013 In D&amp;D, rangers are a skilled explorer, craftsperson, and hunter. GoSecure found that these types of threat actors run reconnaissance using scripts or tools, explore the contents of the compromised system, and check the performance of the system. The going theory is that they are evaluating the system for another type of threat actor; this could be indicative of an initial access broker who simply sells the credentials and resulting remote system access.<\/li><li><strong>Thieves<\/strong> \u2013 In D&amp;D, thieves are, well\u2026 thieves. They burgle, steal, pickpocket, etc. All-round bad guys.\u00a0 GoSecure characterizes these threat actors as those intent on monetizing the simple RDP access gained without going beyond the \u201cwalls\u201d of the compromised endpoint. Actions include installing cryptominers, proxyware, monetized browsers, etc.<\/li><li><strong>Barbarians<\/strong> \u2013 In D&amp;D, barbarians thrive in battle. Threat actors of this nature are the ones who love the thrill of hacking the rest of your network. They are the ones discovering IP address ranges, finding usernames and passwords\/hashes\/Kerberos tickets, etc. in an attempt to brute force their way into more computers on your network.<\/li><li><strong>Wizards<\/strong> \u2013 In D&amp;D, wizards are highly skilled at performing spells (and they usually have no real combat ability), accomplishing the impossible without explanation (i.e., \u201cmagic\u201d). GoSecure sees threat actors that use RDP to \u201cportal\u201d (read: <em>laterally move<\/em>) from system to system. These may be the most skilled of all the threat actors, as wizards are very skilled at living off the land and are able to laterally move with relative ease.<\/li><li><strong>Bards<\/strong> \u2013 Bards in D&amp;D are sort of a \u201cjack of all trades\u201d, part musician, part fighter, part wizard. In general, though, they are also in the \u201cmaster of none\u201d category. According to GoSecure, bards have \u201cno apparent hacking skills\u201d; they misuse the compromised RDP session for far more personal needs that include downloading movies, watching porn and performing web searches related to hacking.<\/li><\/ul><p>So, what\u2019s the breakdown of these five types of threat actors?\u00a0 Are they all just watching movies? Laterally moving? Running cryptominers?<\/p><p>According to a <a href=\"https:\/\/i.blackhat.com\/BH-US-23\/Presentations\/US-23-Bilodeau-I-Watched-You-Roll-the-Die-Unparalleled-RDP-Monitoring.pdf?_gl=1*1dbmfg8*_gcl_au*MTgyODUyNDIxMy4xNjk0NjQ3NDIy&amp;_ga=2.171652704.1173195318.1694647422-47761740.1694647422\">BlackHat 2023 presentation by GoSecure cybersecurity researchers<\/a> on their findings of this three-year experiment, the activities are heavily weighted towards <em>barbarians<\/em> and <em>rangers<\/em>:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-223ff7f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"223ff7f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-33557d4\" data-id=\"33557d4\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-82f755e elementor-widget elementor-widget-image\" data-id=\"82f755e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-1024x576.jpg\" class=\"attachment-large size-large wp-image-23214\" alt=\"\" srcset=\"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-1024x576.jpg 1024w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-300x169.jpg 300w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-768x432.jpg 768w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-1536x864.jpg 1536w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2048x1152.jpg 2048w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-scaled.jpg 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-14e2a7f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"14e2a7f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ba89178\" data-id=\"ba89178\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9257ba7 elementor-widget elementor-widget-text-editor\" data-id=\"9257ba7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>While I\u2019m unsure of the scale used, it\u2019s still very evident that barbarians and rangers combined dwarf thieves, bards, and wizards. This means that, for most RDP sessions, the name of the game is <em>reconnaissance<\/em> and <em>lateral movement<\/em>.\u00a0 To give you a bit more insight into the kinds of actions taken, GoSecure researchers also classified the tools used by all categories of threat actor:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-e6a87ee elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"e6a87ee\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-98c9e43\" data-id=\"98c9e43\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-23b0bcb elementor-widget elementor-widget-image\" data-id=\"23b0bcb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"1024\" height=\"577\" src=\"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2-1024x577.jpg\" class=\"attachment-large size-large wp-image-23209\" alt=\"\" srcset=\"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2-1024x577.jpg 1024w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2-300x169.jpg 300w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2-768x433.jpg 768w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2-1536x865.jpg 1536w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2-2048x1154.jpg 2048w, https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Blog-9-Image-2-scaled.jpg 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-914c709 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"914c709\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-097e360\" data-id=\"097e360\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-26d3b57 elementor-widget elementor-widget-text-editor\" data-id=\"26d3b57\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>You can establish from this tool classification that actions involved with cyberattack far outweigh any of the other types individually.\u00a0 Again, RDP is seen primarily as a channel for attack.<\/p><h2>Moving Away from RDP \u2013 Both Inside and Out<\/h2><p>If the industry data wasn\u2019t enough to move you, I\u2019m hoping the GoSecure detail was! It\u2019s evident that insecure RDP is a risk to the organization, both as <em>an externally accessible means of entering a network<\/em> and as <em>a means to move laterally throughout a compromised environment<\/em>.<\/p><p>Assuming your organization has a need for both external and internal remote access, what should you do to mitigate this risk entirely?<\/p><p>\u00a0<\/p><p>The answer lies in using a means of <em>secure<\/em> remote access that includes a few controls in place <em>before<\/em> anyone is allowed to remotely access anything:<\/p><ul><li><strong>Multi-factor authentication<\/strong> \u2013 it\u2019s 2023; everyone (and I mean <em>everyone<\/em>) should have MFA enabled on their user account. If you have MFA layered over remote access, you put initial access brokers largely out of business.<\/li><li><strong>Granular Access Control<\/strong> \u2013 RDP, if left unchecked, allows anyone to jump to any other machine (yes, yes, you need Log On Locally rights, etc., but you get the point!). Secure remote access limits who can utilize remote sessions to specific machines.<\/li><li><strong>Least Privilege<\/strong> \u2013 RDP sessions leverage the permissions of the logged-on credential. Secure remote access can often determine what level of privileges are exercised in a given remote session.<\/li><\/ul><p>In all reality, implementing a secure remote access solution that had any of these features would be an improvement in reducing the risk. Why?\u00a0 Because RDP is built-in (and the threat actors know it!) and completely removing RDP and utilizing another more secure solution would be another barrier for a threat actor to overcome.<\/p><p>If you have any instances of RDP within the organization, it\u2019s time to eradicate them completely and look for another means of securely providing remote access \u2013 whether externally or internally \u2013 that removes the threat actors\u2019 easy means of remotely existing within your network. To ignore this warning brings new meaning to the phrase \u201cbarbarians at the gate.\u201d<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>The fact that RDP is used in cyberattacks is well-known. But what do threat actors actually do once they gain control of an exposed endpoint? Find out below.  <\/p>\n","protected":false},"author":20,"featured_media":23204,"template":"","blog_category":[280,257,270],"class_list":["post-23186","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog_category-featured","blog_category-security","blog_category-technology-trends"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What goes on when RDP is compromised: A practical look into the threat actions taken<\/title>\n<meta name=\"description\" content=\"The fact that RDP is used in cyberattacks is well-known. But what do threat actors actually do once they gain control of an exposed endpoint?\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What goes on when RDP is compromised: A practical look into the threat actions taken\" \/>\n<meta property=\"og:description\" content=\"The fact that RDP is used in cyberattacks is well-known. But what do threat actors actually do once they gain control of an exposed endpoint?\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/\" \/>\n<meta property=\"og:site_name\" content=\"RealVNC\u00ae\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/realvnc\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Threat-actions-RDP-compromised-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"1067\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@realvnc\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/\"},\"author\":{\"name\":\"Nick Cavalancia, 4-time Microsoft MVP\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/person\\\/01b6bf08521717030ba8b5904cbdfc49\"},\"headline\":\"What goes on when RDP is compromised: A practical look into the threat actions taken\",\"datePublished\":\"2023-09-21T07:37:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/\"},\"wordCount\":1236,\"publisher\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/Threat-actions-RDP-compromised-scaled.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/\",\"name\":\"What goes on when RDP is compromised: A practical look into the threat actions taken\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/Threat-actions-RDP-compromised-scaled.jpg\",\"datePublished\":\"2023-09-21T07:37:20+00:00\",\"description\":\"The fact that RDP is used in cyberattacks is well-known. But what do threat actors actually do once they gain control of an exposed endpoint?\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/Threat-actions-RDP-compromised-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/Threat-actions-RDP-compromised-scaled.jpg\",\"width\":1600,\"height\":1067,\"caption\":\"Threat actions RDP compromised\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/rdp-is-compromised-a-practical-look-threat-actions\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blogs\",\"item\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"What goes on when RDP is compromised: A practical look into the threat actions taken\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/\",\"name\":\"RealVNC\u00ae\",\"description\":\"The world&#039;s safest remote access software\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#organization\",\"name\":\"RealVNC\u00ae\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/realvnc-logo-blue.png\",\"contentUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/realvnc-logo-blue.png\",\"width\":300,\"height\":41,\"caption\":\"RealVNC\u00ae\"},\"image\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/realvnc\",\"https:\\\/\\\/x.com\\\/realvnc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/realvnc\\\/\",\"https:\\\/\\\/www.youtube.com\\\/RealVNCLtd\",\"https:\\\/\\\/en.wikipedia.org\\\/wiki\\\/RealVNC\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/person\\\/01b6bf08521717030ba8b5904cbdfc49\",\"name\":\"Nick Cavalancia, 4-time Microsoft MVP\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/39ee2c0e6e815f082b788d1724827f4153716df8f8013fbe03f24ab73c6e4b89?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/39ee2c0e6e815f082b788d1724827f4153716df8f8013fbe03f24ab73c6e4b89?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/39ee2c0e6e815f082b788d1724827f4153716df8f8013fbe03f24ab73c6e4b89?s=96&d=mm&r=g\",\"caption\":\"Nick Cavalancia, 4-time Microsoft MVP\"},\"description\":\"Nick Cavalancia is a four-time Microsoft MVP, has over 28 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, and Master CNI. He has authored, co-authored and contributed to dozens of books on various technologies. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What goes on when RDP is compromised: A practical look into the threat actions taken","description":"The fact that RDP is used in cyberattacks is well-known. But what do threat actors actually do once they gain control of an exposed endpoint?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/","og_locale":"en_US","og_type":"article","og_title":"What goes on when RDP is compromised: A practical look into the threat actions taken","og_description":"The fact that RDP is used in cyberattacks is well-known. But what do threat actors actually do once they gain control of an exposed endpoint?","og_url":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/","og_site_name":"RealVNC\u00ae","article_publisher":"https:\/\/www.facebook.com\/realvnc","og_image":[{"width":1600,"height":1067,"url":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Threat-actions-RDP-compromised-scaled.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@realvnc","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/#article","isPartOf":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/"},"author":{"name":"Nick Cavalancia, 4-time Microsoft MVP","@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/person\/01b6bf08521717030ba8b5904cbdfc49"},"headline":"What goes on when RDP is compromised: A practical look into the threat actions taken","datePublished":"2023-09-21T07:37:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/"},"wordCount":1236,"publisher":{"@id":"https:\/\/www.realvnc.com\/en\/#organization"},"image":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/#primaryimage"},"thumbnailUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Threat-actions-RDP-compromised-scaled.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/","url":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/","name":"What goes on when RDP is compromised: A practical look into the threat actions taken","isPartOf":{"@id":"https:\/\/www.realvnc.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/#primaryimage"},"image":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/#primaryimage"},"thumbnailUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Threat-actions-RDP-compromised-scaled.jpg","datePublished":"2023-09-21T07:37:20+00:00","description":"The fact that RDP is used in cyberattacks is well-known. But what do threat actors actually do once they gain control of an exposed endpoint?","breadcrumb":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/#primaryimage","url":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Threat-actions-RDP-compromised-scaled.jpg","contentUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/09\/Threat-actions-RDP-compromised-scaled.jpg","width":1600,"height":1067,"caption":"Threat actions RDP compromised"},{"@type":"BreadcrumbList","@id":"https:\/\/www.realvnc.com\/en\/blog\/rdp-is-compromised-a-practical-look-threat-actions\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.realvnc.com\/en\/"},{"@type":"ListItem","position":2,"name":"Blogs","item":"https:\/\/www.realvnc.com\/en\/blog\/"},{"@type":"ListItem","position":3,"name":"What goes on when RDP is compromised: A practical look into the threat actions taken"}]},{"@type":"WebSite","@id":"https:\/\/www.realvnc.com\/en\/#website","url":"https:\/\/www.realvnc.com\/en\/","name":"RealVNC\u00ae","description":"The world&#039;s safest remote access software","publisher":{"@id":"https:\/\/www.realvnc.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.realvnc.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.realvnc.com\/en\/#organization","name":"RealVNC\u00ae","url":"https:\/\/www.realvnc.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/05\/realvnc-logo-blue.png","contentUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/05\/realvnc-logo-blue.png","width":300,"height":41,"caption":"RealVNC\u00ae"},"image":{"@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/realvnc","https:\/\/x.com\/realvnc","https:\/\/www.linkedin.com\/company\/realvnc\/","https:\/\/www.youtube.com\/RealVNCLtd","https:\/\/en.wikipedia.org\/wiki\/RealVNC"]},{"@type":"Person","@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/person\/01b6bf08521717030ba8b5904cbdfc49","name":"Nick Cavalancia, 4-time Microsoft MVP","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/39ee2c0e6e815f082b788d1724827f4153716df8f8013fbe03f24ab73c6e4b89?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/39ee2c0e6e815f082b788d1724827f4153716df8f8013fbe03f24ab73c6e4b89?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/39ee2c0e6e815f082b788d1724827f4153716df8f8013fbe03f24ab73c6e4b89?s=96&d=mm&r=g","caption":"Nick Cavalancia, 4-time Microsoft MVP"},"description":"Nick Cavalancia is a four-time Microsoft MVP, has over 28 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, and Master CNI. He has authored, co-authored and contributed to dozens of books on various technologies. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance."}]}},"_links":{"self":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog\/23186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/users\/20"}],"version-history":[{"count":0,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog\/23186\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/media\/23204"}],"wp:attachment":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/media?parent=23186"}],"wp:term":[{"taxonomy":"blog_category","embeddable":true,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog_category?post=23186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}