Ymir Vigfusson
June 10, 2025
If you've worked in incident response, you've seen this pattern before: An attacker lands on a single system, maybe from a phishing email or a reused VPN credential, and within hours, multiple systems are compromised. Backups are deleted. Critical services are encrypted. And every alert you’re looking at seems to trace back to one thing: a remote desktop session.
RDP isn’t just an entry point. It’s the attacker’s operational platform.
Let’s walk through why that’s true, where our tools fall short, and how you can close this blind spot once and for all.
RDP is a go-to tool for admins, whether you're managing a server, troubleshooting workstations, or pushing updates across the fleet. That’s the same reason attackers use it.
Once an adversary gets access to a machine via phishing, stolen credentials, or a misconfigured service, they don’t need malware to cause damage. They just need RDP access and time.
RDP provides:
They often don’t even need to drop new binaries. Instead, they repurpose the same trusted tools your admins use daily, PowerShell, Task Scheduler, and even Explorer itself. They use the same tools you use.
Here's what that can look like in practice:
No exploits. No shellcode. Just standard RDP, quietly spreading across your infrastructure.
It’s easy to assume that MFA, PAM, or EDR would catch this. But in practice, those tools stop checking the moment a session begins.
Let’s break down what each tool sees and misses:
Once the attacker logs in via RDP with valid credentials, they look identical to your sysadmins. They click windows. They open consoles. They run scripts. Your tools see a trusted session and stop asking questions.
Reliably differentiating normal and malicious behavior needs something both different and definitive.
You don’t detect fast enough, and even when you do, you can’t respond in time. That gap between detection and containment is the attacker’s playground. That delay is the attacker’s window.
For most RDP-based intrusions, the Mean Time to Remediation (MTTR) is measured in hours or days. In that time, attackers can:
And if they’re using built-in tools and valid accounts, your detection tools might not even fire.
This is what that lateral movement flow typically looks like:
This is the default, and risky path unless you change the trust model. Even when we have detection in the flow, it needs to be timely.
This is where Keystrike steps in. Not by logging more data, not by adding heuristics, but by enforcing one simple principle:
If a command didn’t come from a human typing on a real keyboard, it doesn’t run. That’s a dramatic shift from “detect and respond.” It’s prevention at the point of execution.
Keystrike integrates at the Human Interface Device (HID) level on the workstation. It attaches cryptographic signatures to every keyboard and mouse input. The server only processes input that:
If the input fails that test, Keystrike blocks it. Immediately.
Here’s how the enforcement path looks when Keystrike is deployed:
This changes the security model from “assume trust until proven malicious” to “prove trust before execution.”
Once an attacker gains access and initiates an RDP session, everything looks like it’s going to plan until it doesn’t. They connect successfully. They get the GUI. The desktop loads. The screen responds. They move the mouse. But then, nothing works.
The moment they try to run a PowerShell payload, launch a privileged tool, or make changes to Active Directory, the system simply refuses to execute their commands. No keystroke gets recognized. No mouse clicks register. From the system’s point of view, no physical activity means no input. And that’s the point.
Keystrike steps in before any action leaves the endpoint. Because the attacker isn’t sitting at a trusted physical device, their input isn’t cryptographically signed. Without that signature, the command is blocked silently, immediately, and decisively.
And that’s just the start. Because Keystrike integrates with network access control and identity platforms, it doesn’t stop at blocking input. It can trigger your security orchestration to instantly terminate the session, revoke the stolen credentials, and isolate the compromised machine—all before they have a chance to escalate or move laterally.
Let’s go one level deeper into how Keystrike enforces trust.
Every workstation enrolled with Keystrike stores a private key securely inside its Trusted Platform Module (TPM) or embedded security chip. This key never leaves the device and is used to sign input at the hardware level, ensuring it originated from a real, physical device under your control.
When a keystroke or mouse click occurs, the device immediately hashes the input along with a precise timestamp. It then signs the hash using its onboard key, generating cryptographic proof that the input originated from a specific, trusted physical device at a specific moment in time.
The Keystrike agent on the server intercepts this input and verifies the signature before allowing it to continue to the application layer. If the input doesn’t validate, if it wasn’t typed by an actual human on a known device, it gets dropped right there. No escalation. No execution.
This model eliminates a whole class of attacks. You can’t spoof the input unless you physically have the hardware. You can’t replay previous commands, because the signature is time-bound. You can’t inject payloads through RDP, malware, or remote control tools, because they lack the one thing Keystrike demands: proof of physical presence.
Even if an attacker is already inside your network, even if they’ve stolen credentials or compromised a host, they still hit a dead end. Keystrike doesn’t just detect bad behavior, it prevents any action that doesn’t originate from a real person at a real machine you trust.
No one signs up to spend their day chasing alerts. Your job is to protect systems that matter and make sure every command that runs actually belongs. But when RDP turns every session into a potential threat, that control slips away, uncertainty creeps in, and you’re left questioning every login, every tool, every operation, every user.
The issue isn’t you, it’s the outdated trust model.
Keystrike changes that. By verifying physical input at the source, it restores certainty. If a command didn’t come from your team, on your hardware, it doesn’t run. Period.
It’s not about blocking bad behavior. It’s about proving what’s real. Let’s get you back in control. Schedule a demo to see how Keystrike turns compromised sessions into isolated endpoints—and stops lateral movement before it starts.
Try Keystrike in Your Environment for 30 Days
