A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.
|Technique||Tactic||Level of Coverage|
|Valid Accounts||Lateral Movement||Moderate|
Look in the system logs for remote logons using RDP
[EventCode] == 4624 and [AuthenticationPackageName] == 'Negotiate' and [Severity] == "Information" and [LogonType] == 10
Data Model References