CAR-2013-07-002: RDP Connection Detection
The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.
Remote Desktop can be detected in several ways
- Network connections to port 3389/tcp (assuming use of the default port)
- Packet capture analysis
- Windows security logs (Event ID 4624, 4634, 4647, 4778)
- Detecting network connections from
mstsc.exe - Execution of the process
rdpclip.exe - Runs as the clipboard manager on the RDP target if clipboard sharing is enabled
Output Description
The time of the Connection, the source, the destination, and the user name used
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Remote Services | Remote Desktop Protocol | Lateral Movement | Medium |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-RTSD | Remote Terminal Session Detection |
Data Model References
| Object | Action | Field |
|---|---|---|
| flow | end | dest_port |
| flow | start | dest_ip |
| flow | start | dest_port |
| flow | start | src_ip |
Implementations
Pseudocode
flow_start = search Flow:Start
flow_end = search Flow:End
rdp_start = filter flow_start where (port == "3389")
rdp_end = filter flow_start where (port == "3389")
rdp = group flow_start, flow_end by src_ip, src_port, dest_ip, dest_port
output rdp
Sigma (Localhost Login) (Sigma)
Sigma rule, focusing on RDP localhost login.