T1021.001: Remote Desktop Protocol

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

remote_work: PT-CR-429: RDP_Login_From_Known_UNIX_Host: Connection from a known Unix host via RDP remote_work: PT-CR-2560: RDP_Login_From_Internet: Login to the system via RDP from the internet. RDP is usually used by system administrators to remotely manage a system within a network. remote_work: PT-CR-1826: RDP_Suspicious_Client: A headless (non-GUI) RDP connection attempt using the ActiveX client, which may indicate lateral movement unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host unix_mitre_attck_lateral_movement: PT-CR-1698: Subrule_Unix_PortForwarding: Possible traffic tunneling mitre_attck_lateral_movement: PT-CR-2462: Multiple_RDP_From_One_User_Or_Host: Multiple RDP connections from one host or account. This may indicate attacker's hidden movement from one compromised system to another. mitre_attck_lateral_movement: PT-CR-788: Shadow_Key_Creation: Creation of the Shadow registry key to establish a shadow RDP connection is detected mitre_attck_lateral_movement: PT-CR-1825: RDP_Shared_Mountpoint_Usage: The RDP shared mount point tsclient was used on the target host, which may indicate lateral movement mitre_attck_lateral_movement: PT-CR-1697: Subrule_Windows_Logon: Subrule detects successful and unsuccessful SMB/RDP connection profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile. profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile. profiling: PT-CR-1042: Update_Server_Abnormal_Access: Suspicious login to the update server (FLUS/GUS). Authentication data differs from the collected profile. profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile. profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile. profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile. profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile. profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile. profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile. profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile. hacking_tools: PT-CR-1725: Cobalt_Strike_HiddenDesktop: Cobalt Strike HiddenDesktop module activity. This module is used to interact with a remote desktop without the user's knowledge. hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions.

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).

The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise. Remote Desktop can be detected in several ways

  • Network connections to port 3389/tcp (assuming use of the default port)
  • Packet capture analysis
  • Detecting network connections from mstsc.exe
  • Execution of the process rdpclip.exe
  • Runs as the clipboard manager on the RDP target if clipboard sharing is enabled

Analytic 1

source="Zeek:" AND (port="3389") AND LogonType="10"

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.

Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.

Analytic 1

source="*WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778) |search user NOT IN top limit=30

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.

IDDS0028Data source and componentLogon Session: Logon Session MetadataDescription

Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Analytic 1

source="WinEventLog:Security" EventCode="4624" AND LogonType="10" AND AuthenticationPackageName="Negotiate" AND TargetUserName="Admin")

Mitigation

IDM1018NameUser Account ManagementDescription

Limit remote user permissions if remote access is necessary.

IDM1026NamePrivileged Account ManagementDescription

Consider removing the local Administrators group from the list of groups allowed to log in through RDP.

IDM1028NameOperating System ConfigurationDescription

Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.

IDM1030NameNetwork SegmentationDescription

Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network.

IDM1032NameMulti-factor AuthenticationDescription

Use multi-factor authentication for remote logins.

IDM1035NameLimit Access to Resource Over NetworkDescription

Use remote desktop gateways.

IDM1042NameDisable or Remove Feature or ProgramDescription

Disable the RDP service if it is unnecessary.

IDM1047NameAuditDescription

Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.