T1021.001: Remote Desktop Protocol
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
remote_work: PT-CR-429: RDP_Login_From_Known_UNIX_Host: Connection from a known Unix host via RDP remote_work: PT-CR-2560: RDP_Login_From_Internet: Login to the system via RDP from the internet. RDP is usually used by system administrators to remotely manage a system within a network. remote_work: PT-CR-1826: RDP_Suspicious_Client: A headless (non-GUI) RDP connection attempt using the ActiveX client, which may indicate lateral movement unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host unix_mitre_attck_lateral_movement: PT-CR-1698: Subrule_Unix_PortForwarding: Possible traffic tunneling mitre_attck_lateral_movement: PT-CR-2462: Multiple_RDP_From_One_User_Or_Host: Multiple RDP connections from one host or account. This may indicate attacker's hidden movement from one compromised system to another. mitre_attck_lateral_movement: PT-CR-788: Shadow_Key_Creation: Creation of the Shadow registry key to establish a shadow RDP connection is detected mitre_attck_lateral_movement: PT-CR-1825: RDP_Shared_Mountpoint_Usage: The RDP shared mount point tsclient was used on the target host, which may indicate lateral movement mitre_attck_lateral_movement: PT-CR-1697: Subrule_Windows_Logon: Subrule detects successful and unsuccessful SMB/RDP connection profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile. profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile. profiling: PT-CR-1042: Update_Server_Abnormal_Access: Suspicious login to the update server (FLUS/GUS). Authentication data differs from the collected profile. profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile. profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile. profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile. profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile. profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile. profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile. profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile. hacking_tools: PT-CR-1725: Cobalt_Strike_HiddenDesktop: Cobalt Strike HiddenDesktop module activity. This module is used to interact with a remote desktop without the user's knowledge. hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions.
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise. Remote Desktop can be detected in several ways
Analytic 1
|
---|
ID | DS0028 | Data source and component | Logon Session: Logon Session Creation | Description | Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere. Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out. Analytic 1
|
---|
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes (such as |
---|
ID | DS0028 | Data source and component | Logon Session: Logon Session Metadata | Description | Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Analytic 1
|
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Limit remote user permissions if remote access is necessary. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Consider removing the local Administrators group from the list of groups allowed to log in through RDP. |
---|
ID | M1028 | Name | Operating System Configuration | Description | Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server. |
---|
ID | M1030 | Name | Network Segmentation | Description | Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network. |
---|
ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication for remote logins. |
---|
ID | M1035 | Name | Limit Access to Resource Over Network | Description | Use remote desktop gateways. |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Disable the RDP service if it is unnecessary. |
---|
ID | M1047 | Name | Audit | Description | Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. |
---|