Remote Desktop Protocol (RDP) is a tool for remotely controlling a Windows device, but is also frequently abused to allow threat actors access to devices and used as a primary attack vector for ransomware. This is done with brute force attacks to identify login credentials and gain access to an environment.
Malwarebytes protects RDP through the Web Protection real-time protection layer and Brute Force Protection. This article provides an understanding of how Malwarebytes protects your environment from brute force attacks and additional preventative measures to consider.
Blocked inbound connections
Detections with the following fields reported typically occur when a port is open and exposed to the internet:
- Type: Inbound Connection
- Action Taken: Blocked
These detections are prevented by the Web Protection real-time protection layer. When these detections occur, it means the IP address being blocked is scanning or attempting to force its way into the endpoint using different ports. Malwarebytes blocks IP addresses that have a history of abuse and is correctly preventing malicious connections.
Found inbound connections
Detections with the following fields reported are typically a result of having open ports in the router or firewall:
- Type: Inbound Connection
- Action Taken: Found
- Detection Name: RDP Intrusion Detection
These detections occur based on your Brute Force Protection trigger rule settings specified in the Nebula policy. For more information, see Configure Brute Force Protection in Nebula.
These alerts notify you that the trigger rule was met. To prevent unauthorized brute force attacks, set the Brute Force Protection setting mode to Block.
CAUTION - Setting to Block mode automatically enables the local Windows Firewall.
Securing RDP
If RDP is allowed for your business operations, see our Malwarebytes Labs article How to protect RDP on how best to secure this service.
If the inbound ports are unintentionally open and you would like to prevent the detections from occurring, configure the router or firewall appliance rules the endpoint is behind and close them.