Create a Post
Showing results for 
Search instead for 
Did you mean: 

Logic for RDP Brute Force detection?

As Check Point does not publish its rules/logic for signatures, I am looking for help understanding the RDP brute force login signature.

Endpoint logs would be the source of truth (audit logs). How is this being detected on the wire? 

Edit: Here is the signature CPAI-2017-0754 | Check Point Software 

2 Replies

A client/server handshake for each attempt makes sense but past that point the connection is encrypted how is IPS checking if login is a success or fail? TCP flags? 

This has been a low fidelity signature, so any thoughts are appreciated.


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events