I have looked through available signatures and recon items and don't see anything about RDP brute force. Has anyone ever done any monitoring around this?
I know... don't publish RDP to the internet ... unfortunately its not my call. I am just asked to protect it as much as possible.
There's actually a new software called Syspeace http://www.syspeace.com out there now that handles brute force attacks on Windows . It blocks , traces and reports via email the origin of the attack (DNS and country) and what username was tried which is great to know so one can quickly see . Thers' also a global black list in there so every attacks is reported and investigated and if there are x number of attacks from the same IP , all syspeace installation around the world actually get the information an they are protected preemptively.
Just a tip really
Cheers Juha Jurvanen
Senior cconsultant in backup, security, server operations and cloud services