Skip to content

Find open RDP sessions using Sophos Live Discover – Sophos News

intercept x with edr

Remote Desktop Protocol (RDP), while a legitimate tool, is also a common ingress point for attackers looking to break into an organization. A recent Sophos survey found that in 9% of ransomware attacks, RDP was the method used to gain entry.

Fortunately, Intercept X Advanced with EDR makes it easy to identify devices that have open RDP connections and remotely shut them down, all from a single management console.

Sophos EDR includes Live Discover, which leverages a collection of pre-written, fully customizable SQL queries to answer IT operations and threat hunting questions.

To begin, we select which devices we want to check.

There are a variety of different categories to choose from depending on your needs. We have a couple of options for RDP. Identifying devices with running processes that have active RDP connections or finding devices that have RDP enabled.

In this case we want to do the latter, so we’re going to create a short query for the task. A quick search of the Live Discover query sharing forum gives us exactly what we need. A couple of clicks later and we have our query ready to run (we also had the option to select a pre-written query to identify devices with active RDP connections).

The query identifies a device that has RDP enabled. From the same console, we launch a Live Response remote terminal session to the device and use the command line interface to disable RDP.

It’s that easy to detect RDP and disable it across your entire endpoint and server estates. To learn more about Sophos EDR head over to or to try it for yourself, you can start a no-obligation 30-day trial.

Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services.
Send us an email to [email protected] for more information or visit

On Trend


Cybersecurity Campaign in Latin America

Unlock 5 hours of free consulting We are pleased to announce the start of our exciting Cybersecurity Campaign, designed to strengthen your business against ever-evolving

Un líder, por decimocuarta vez

Las amenazas cambian. Sophos sigue siendo reconocido Por decimocuarta vez consecutiva, Sophos ha sido nombrado líder en el Cuadrante Mágico™ de Gartner® 2023 para plataformas

Apple Authorized Reseller

Hello, Apple

We proudly announce that Net Universe has been distingued as Apple Authorized Reseller. This membership is a testament to our ongoing commitment to deliver the