EXPLORE
Sign In
← Back to Explore
T1021.001

Remote Desktop Protocol

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citatio...

Windows
51
Detections
4
Sources
35
Threat Actors

BY SOURCE

18elastic17splunk_escu15sigma1crowdstrike_cql

PROCEDURES (31)

Registry5 detections

Auto-extracted: 5 detections for registry

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Persist3 detections

Auto-extracted: 3 detections for persist

Remote3 detections

Auto-extracted: 3 detections for remote

Unusual3 detections

Auto-extracted: 3 detections for unusual

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Privilege2 detections

Auto-extracted: 2 detections for privilege

Service2 detections

Auto-extracted: 2 detections for service

Remote2 detections

Auto-extracted: 2 detections for remote

Lateral2 detections

Auto-extracted: 2 detections for lateral

Powershell1 detections

Auto-extracted: 1 detections for powershell

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Registry1 detections

Auto-extracted: 1 detections for registry

Unusual1 detections

Auto-extracted: 1 detections for unusual

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (35)

AgriusAkiraAPT1APT3APT39APT41APT5Aquatic PandaAxiomBlackByteBlue MockingbirdChimeraCobalt GroupDragonflyFIN10FIN13FIN6FIN7FIN8Fox KittenHEXANEINC RansomIndrik SpiderKimsukyLazarus GroupLeviathanMagic HoundMedusa GroupmenuPassOilRigPatchworkScattered SpiderSilenceVolt TyphoonWizard Spider

DETECTIONS (51)

Allow Inbound Traffic By Firewall Rule Registry
splunk_escu
Allow Inbound Traffic In Firewall Rule
splunk_escu
Denied Access To Remote Desktop
sigmamedium
Execution via TSClient Mountpoint
elastichigh
High Mean of Process Arguments in an RDP Session
elasticlow
High Mean of RDP Session Duration
elasticlow
High Variance in RDP Session Duration
elasticlow
Lateral Movement Detection
crowdstrike_cql
Lateral Movement via Startup Folder
elastichigh
Network-Level Authentication (NLA) Disabled
elasticlow
New Remote Desktop Connection Initiated Via Mstsc.EXE
sigmamedium
OpenCanary - RDP New Connection Attempt
sigmahigh
Outbound RDP Connections Over Non-Standard Tools
sigmahigh
Port Forwarding Activity Via SSH.EXE
sigmamedium
Potential Remote Desktop Shadowing Activity
elastichigh
Potential Remote Desktop Tunneling Detected
elastichigh
Potential SharpRDP Behavior
elastichigh
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
sigmahigh
Publicly Accessible RDP Service
sigmahigh
RDP (Remote Desktop Protocol) from the Internet
elasticmedium
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
sigmamedium
RDP Enabled via Registry
elasticmedium
RDP Login from Localhost
sigmahigh
RDP Over Reverse SSH Tunnel
sigmahigh
RDP over Reverse SSH Tunnel WFP
sigmahigh
RDP to HTTP or HTTPS Target Ports
sigmahigh
Remote Desktop Enabled in Windows Firewall by Netsh
elasticmedium
Remote Desktop Network Traffic
splunk_escu
Remote Desktop Process Running On System
splunk_escu
Spike in Number of Connections Made from a Source IP
elasticlow
Spike in Number of Connections Made to a Destination IP
elasticlow
Spike in Number of Processes in an RDP Session
elasticlow
Suspicious Plink Port Forwarding
sigmahigh
Suspicious RDP ActiveX Client Loaded
elasticmedium
Suspicious RDP Redirect Using TSCON
sigmahigh
Unusual Time or Day for an RDP Session
elasticlow
Unusual Windows Remote User
elasticlow
User Added to Remote Desktop Users Group
sigmahigh
Windows Default RDP File Creation By Non MSTSC Process
splunk_escu
Windows Default Rdp File Unhidden
splunk_escu
Windows MSTSC RDP Commandline
splunk_escu
Windows Process Execution From RDP Share
splunk_escu
Windows RDP Bitmap Cache File Creation
splunk_escu
Windows RDP Client Launched with Admin Session
splunk_escu
Windows RDP File Execution
splunk_escu
Windows RDP Login Session Was Established
splunk_escu
Windows RDP Server Registry Entry Created
splunk_escu
Windows Remote Service Rdpwinst Tool Execution
splunk_escu
Windows Remote Services Allow Rdp In Firewall
splunk_escu
Windows Remote Services Allow Remote Assistance
splunk_escu
Windows Remote Services Rdp Enable
splunk_escu