Threat Hunting - Outbound RDP Surprises

This threat-hunting write-up describes detection and investigation of suspicious outbound RDP and VPN client connections from internal hosts to an externally exposed Synology NAS in Hungary. Using SIEM, firewall syslog, Shodan, Urlscan, and EDR data the author identified exposed RDP and web services, a recently issued SSL certificate, and evidence that the NAS may be port-forwarding RDP and hosting VPN services; the report highlights gaps in egress controls, lack of baselining, and recommends restricting outbound RDP, enforcing B2B VPNs, and detecting unauthorized VPN usage.