T1021.001 Remote Desktop Protocol Mappings

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.(Citation: Alperovitch Malware)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-11 Device Lock Protects T1021.001 Remote Desktop Protocol
AC-12 Session Termination Protects T1021.001 Remote Desktop Protocol
AC-17 Remote Access Protects T1021.001 Remote Desktop Protocol
AC-2 Account Management Protects T1021.001 Remote Desktop Protocol
AC-20 Use of External Systems Protects T1021.001 Remote Desktop Protocol
AC-3 Access Enforcement Protects T1021.001 Remote Desktop Protocol
AC-4 Information Flow Enforcement Protects T1021.001 Remote Desktop Protocol
AC-5 Separation of Duties Protects T1021.001 Remote Desktop Protocol
AC-6 Least Privilege Protects T1021.001 Remote Desktop Protocol
AC-7 Unsuccessful Logon Attempts Protects T1021.001 Remote Desktop Protocol
CA-8 Penetration Testing Protects T1021.001 Remote Desktop Protocol
CM-2 Baseline Configuration Protects T1021.001 Remote Desktop Protocol
CM-5 Access Restrictions for Change Protects T1021.001 Remote Desktop Protocol
CM-6 Configuration Settings Protects T1021.001 Remote Desktop Protocol
CM-7 Least Functionality Protects T1021.001 Remote Desktop Protocol
CM-8 System Component Inventory Protects T1021.001 Remote Desktop Protocol
IA-2 Identification and Authentication (organizational Users) Protects T1021.001 Remote Desktop Protocol
IA-4 Identifier Management Protects T1021.001 Remote Desktop Protocol
IA-5 Authenticator Management Protects T1021.001 Remote Desktop Protocol
IA-6 Authentication Feedback Protects T1021.001 Remote Desktop Protocol
RA-5 Vulnerability Monitoring and Scanning Protects T1021.001 Remote Desktop Protocol
SC-46 Cross Domain Policy Enforcement Protects T1021.001 Remote Desktop Protocol
SC-7 Boundary Protection Protects T1021.001 Remote Desktop Protocol
SI-4 System Monitoring Protects T1021.001 Remote Desktop Protocol

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
network_security_groups Network Security Groups technique_scores T1021.001 Remote Desktop Protocol
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
    azure_sentinel Azure Sentinel technique_scores T1021.001 Remote Desktop Protocol
    Comments
    The Azure Sentinel Hunting "anomalous RDP Activity" query can detect potential lateral movement employing RDP. The following Azure Sentinel Analytics queries can identify potentially malicious use of RDP: "Anomalous RDP Login Detections", "Multiple RDP connections from Single Systems", "Rare RDP Connections", and "RDP Nesting".
    References
      azure_policy Azure Policy technique_scores T1021.001 Remote Desktop Protocol
      Comments
      This control may provide recommendations to restrict public access to Remote Desktop Protocol.
      References
        azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1021.001 Remote Desktop Protocol
        Comments
        This control can detect anomalous traffic with respect to remote access protocols and groups.
        References