Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-vpc-flow-log-detections
Overview
4Dashboards
6Benchmarks
18Queries
1Variables
GitHub

Detection: RDP Traffic

Overview

Detect RDP connections in VPC Flow Logs. Remote Desktop Protocol (RDP) connections, while necessary for Windows administration, can be exploited for unauthorized access to resources, lateral movement within networks, or command and control activities. Monitoring RDP connections helps identify potentially suspicious remote access attempts, especially from unexpected sources or to sensitive assets, which could indicate compromise or policy violations within your AWS environment.

This detection monitors only accepted traffic on port 3389 (RDP).

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_vpc_flow_log_detections.detection.rdp_traffic

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_vpc_flow_log_detections.detection.rdp_traffic --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
interface_id as resource,
src_addr as source_ip,
src_port::varchar as source_port,
dst_addr as destination_ip,
dst_port::varchar as destination_port,
case
  when protocol = 1 then 'ICMP (1)'
  when protocol = 6 then 'TCP (6)'
  when protocol = 17 then 'UDP (17)'
  else 'Other (' || protocol || ')'
end as protocol,
account_id,
region,
vpc_id,
tp_id as source_id,
 -- Create new aliases to preserve original row data
protocol as protocol_src,
*
exclude (account_id, protocol, region, vpc_id)


from
  aws_vpc_flow_log
where
  dst_port = 3389
order by
  tp_timestamp desc;

Tags

category = Detections
mitre_attack_ids = TA0008:T1021.001
plugin = aws
service = AWS/VPC