Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.(Citation: Alperovitch Malware)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
network_security_groups | Network Security Groups | technique_scores | T1021.001 | Remote Desktop Protocol |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_sentinel | Azure Sentinel | technique_scores | T1021.001 | Remote Desktop Protocol |
Comments
The Azure Sentinel Hunting "anomalous RDP Activity" query can detect potential lateral
movement employing RDP.
The following Azure Sentinel Analytics queries can identify potentially malicious use
of RDP:
"Anomalous RDP Login Detections", "Multiple RDP connections from Single Systems",
"Rare RDP Connections", and "RDP Nesting".
References
|
azure_policy | Azure Policy | technique_scores | T1021.001 | Remote Desktop Protocol |
Comments
This control may provide recommendations to restrict public access to Remote Desktop Protocol.
References
|
azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1021.001 | Remote Desktop Protocol |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|