A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

ATT&CK Detection

Technique Tactic Level of Coverage
Valid Accounts Lateral Movement Moderate

Pseudocode

Look in the system logs for remote logons using RDP

[EventCode] == 4624 and
[AuthenticationPackageName] == 'Negotiate' and
[Severity] == "Information" and
[LogonType] == 10

Data Model References

Object Action Field
usersession interactive logontype