Find sigma rule

Attack: Remote Services: Remote Desktop Protocol

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.(Citation: Alperovitch Malware)

MITRE

Tactic

lateral-movement

technique

T1021.001

Test : RDP to DomainController

OS

windows

Description:

Attempt an RDP session via Remote Desktop Application to a DomainController.

Executor

powershell

Sigma Rule

proc_creation_win_mstsc_remote_connection.yml (id: 954f0af7-62dd-418f-b3df-a84bc2c7a774)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test