Summary (Bottom Line Up Front)
IP address 36.138.184.167 conducted sustained RDP reconnaissance activity from March 30-April 1, 2026, generating 6,586 events targeting RDP services through X.224 connection requests. This represents low-severity network discovery activity consistent with automated scanning for exposed RDP endpoints. Organizations should verify RDP exposure and implement appropriate access controls.
Activity Timeline
INITIAL REPORT2026-04-01T14:52:00Z
Source: Analyst Manual Entry
IP address 36.138.184.167 conducted sustained RDP reconnaissance activity from March 30-April 1, 2026, generating 6,586 events targeting RDP services through X.224 connection requests. This represents low-severity network discovery activity consistent with automated scanning for exposed RDP endpoints. Organizations should verify RDP exposure and implement appropriate access controls.
Technical details
- Attack Vector: RDP service discovery via X.224 connection requests
- Volume: 6,586 events over 57-hour period (March 30 08:00 - April 1 17:00 UTC)
- MITRE Technique: T1046 (Network Service Scanning)
- Kill Chain Phase: Reconnaissance
- Primary Pattern: RDP_SCAN operations targeting single destination port
- IOC: 36.138.184.167 (source IP)
- Assessment: Standard automated reconnaissance, no exploitation attempts observed
IOCs
IP:36.138.184.167
Recommendations
- Audit external RDP exposure and disable unnecessary RDP services facing the internet
- Implement network-level access controls (VPN, jump hosts) for legitimate RDP requirements
- Monitor for follow-up brute force attempts against identified RDP services from this or related IP addresses
- Deploy network segmentation to limit RDP access to authorized subnets only
- Enable enhanced RDP logging and failed authentication alerting on exposed systems