# msrdp

**Explanation**

A Microsoft Remote Desktop Protocol (RDP) reflection attack is a type of DDoS attack where the attacker sends a forged packet to an open RDP server that causes it to send a large amount of traffic to a target. This traffic overwhelms the target's network, causing it to crash.

**What to Look For**

When examining the results of the msrdp event, look for any indications of a malicious actor attempting to send forged packets to an open RDP server. This can include a high volume of traffic from a single IP address, as well as packets with unusual characteristics or payloads. Endpoint analysis should focus on any anomalous behavior from RDP clients or abnormal network traffic from the affected device. Remediation measures may include blocking the offending IP address or disabling the RDP service on the targeted device.

**Related MITRE ATT\&CK Categories**

[Impact: Network Denial of Service, Technique T1498 - Enterprise](https://attack.mitre.org/techniques/T1498)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/msrdp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.