Skip to content

RDP Honeypot Enterprise Community

The RDP service emulates a Windows Remote Desktop Protocol server. It is one of the most targeted services in internal networks and an effective honeypot signal.

Configuration

json
"rdp": [
  {
    "port": 3389,
    "version": "2019",
    "ntlm_hostname": "WIN-RDP",
    "ntlm_domain": "WORKGROUP"
  }
]

Parameters

ParameterTypeDefaultDescription
portinteger3389TCP port
versionstring2019OS fingerprint for negotiation flags and NTLM metadata - see table

Version values (version)

ValueTarget OS
winxpWindows XP SP3 (no NLA)
win7Windows 7 SP1 / Server 2008 R2
win81Windows 8.1 / Server 2012 R2
win10Windows 10 20H1
win11Windows 11 25H2
2012Windows Server 2012
2012r2Windows Server 2012 R2
2016Windows Server 2016
2019Windows Server 2019
2022Windows Server 2022

What gets captured

EventFields
Connection madeSource IP and port
Data sentRaw client data
Login attemptUsername and authentication material from the RDP client (may include NTLM hashes)

After the initial exchange the server closes the connection without granting a session.

RDP breadcrumbs placed on Windows endpoints create saved RDP connections pointing to the honeypot. See RDP shortcut breadcrumb.