A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Remote Services Remote Desktop Protocol Lateral Movement Moderate

Applicable Sensors

Not computed

Implementations

Pseudocode

Look in the system logs for remote logons using RDP.

[EventCode] == 4624 and
[AuthenticationPackageName] == 'Negotiate' and
[Severity] == "Information" and
[LogonType] == 10

Sigma

Sigma version of the above pseudocode, with some modifications.

Logpoint

LogPoint version of the above pseudocode.

norm_id=WinServer event_id=4624 package="Negotiate" log_level="INFO" logon_type=10