🖥️

RDP Honeypot

Detect unauthorized access attempts targeting Remote Desktop services.

3389

Default Port

TCP

Protocol

Username

Detection

About RDP

Remote Desktop Protocol (RDP) is Microsoft's protocol for graphical remote access to Windows systems. RDP is one of the most commonly exploited protocols in ransomware attacks, as it provides full desktop access to compromised systems. Exposed RDP endpoints are actively targeted by automated brute-force attacks and credential stuffing campaigns.

What Gets Captured

When an attacker attempts to connect using your RDP honeypot credentials, Tripwires captures:

Username - The username from the mstshash cookie in the connection request
Source IP - The attacker's IP address
Timestamp - Exact time of the connection
Client name - The RDP client hostname

Connection Formats

RDP credentials can be planted in various formats depending on your environment:

Windows Remote Desktop

mstsc /v:rdp-xxx.gettripwires.com:3389

xfreerdp (Linux)

xfreerdp /v:rdp-xxx.gettripwires.com /u:user /p:password

RDP File (.rdp)

full address:s:rdp-xxx.gettripwires.com:3389
username:s:DOMAIN\user
prompt for credentials:i:1

PowerShell

cmdkey /generic:rdp-xxx.gettripwires.com /user:user /pass:password
mstsc /v:rdp-xxx.gettripwires.com

Strategic Placement Ideas

Jump Server Documentation

Leave as 'admin workstation' RDP connection in IT documentation.

Remote Access Guides

Add as 'VPN-less emergency access' server in remote work guides.

Saved RDP Files

Place .rdp files labeled 'Domain Controller' in shared network drives.