A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Remote Services Remote Desktop Protocol Lateral Movement Moderate

Implementations

Pseudocode

Look in the system logs for remote logons using RDP.

[EventCode] == 4624 and
[AuthenticationPackageName] == 'Negotiate' and
[Severity] == "Information" and
[LogonType] == 10

Sigma

Sigma version of the above pseudocode, with some modifications.