The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.

Remote Desktop can be detected in several ways

  • Network connections to port 3389/tcp (assuming use of the default port)
  • Packet capture analysis
  • Windows security logs (Event ID 4624, 4634, 4647, 4778)
  • Detecting network connections from mstsc.exe
  • Execution of the process rdpclip.exe
  • Runs as the clipboard manager on the RDP target if clipboard sharing is enabled

Output Description

The time of the Connection, the source, the destination, and the user name used

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Remote Services Remote Desktop Protocol Lateral Movement Medium

D3FEND Techniques

ID Name
D3-RTSD Remote Terminal Session Detection

Data Model References

Object Action Field
flow end dest_port
flow start dest_ip
flow start dest_port
flow start src_ip

Implementations

Pseudocode

flow_start = search Flow:Start
flow_end = search Flow:End
rdp_start = filter flow_start where (port == "3389")
rdp_end = filter flow_start where (port == "3389")
rdp = group flow_start, flow_end by src_ip, src_port, dest_ip, dest_port
output rdp

Sigma (Localhost Login) (Sigma)

Sigma rule, focusing on RDP localhost login.