The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.
Remote Desktop can be detected in several ways
- Network connections to port 3389/tcp (assuming use of the default port)
- Packet capture analysis
- Windows security logs (Event ID 4624, 4634, 4647, 4778)
- Detecting network connections from
- Execution of the process
- Runs as the clipboard manager on the RDP target if clipboard sharing is enabled
The time of the Connection, the source, the destination, and the user name used
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Remote Services||Remote Desktop Protocol||Lateral Movement||Medium|
|D3-RTSD||Remote Terminal Session Detection|
Data Model References
flow_start = search Flow:Start flow_end = search Flow:End rdp_start = filter flow_start where (port == "3389") rdp_end = filter flow_start where (port == "3389") rdp = group flow_start, flow_end by src_ip, src_port, dest_ip, dest_port output rdp
Sigma (Localhost Login) (Sigma)
Sigma rule, focusing on RDP localhost login.