detection.wiki

ATT&CK coverage › Technique

Remote Services: Remote Desktop Protocol T1021.001

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon11FileCreate
Sysmon13RegistryEvent (Value Set)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4688A new process has been created.
Security-Auditing4825A user was denied the access to Remote Desktop.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 23 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (21 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine9match 7, eq 2, in 1 -R , /v:, C:\ProgramData\Microsoft\WSL\wslg.rdp, TSEnabled, EnableConcurrentSessions
Image8ends_with 8, eq 1, is_null 1, starts_with 1\svchost.exe, \mstsc.exe, \Passwordstate.exe, \RSSensor.exe, C:\Program Files\Mozilla Firefox\firefox.exe
SourcePort4eq 43389, 53
registry_path4eq 4"*\\System\\CurrentControlSet\\Services\\SharedAccess\\Pa..., "*\\Microsoft\\Terminal Server Client\\Servers\\*", "*\\Control\\Terminal Server\\fAllowToGetHelp*", "*\\Control\\Terminal Server\\fDenyTSConnections*"
OriginalFileName3eq 3mstsc.exe, reg.exe, PowerShell.EXE, wmic.exe, pwsh.dll
Initiated3eq 3true
DestinationPort3eq 33389, 80, 443
Details3eq 3"*|Action=Allow|*", "*|LPort=*", "*|Dir=In|*", "0x00000001", "0x00000000"
process_name3eq 2, ne 1mstsc.exe, "attrib.exe", "mstsc.exe"
src_ip2eq 2, starts_with 1::1, 127.0.0.1, 127.
LogonType2eq 210
dest_ip2cidr_match 1, starts_with 1, eq 1::1/128, 127.0.0.0/8, 127., ::1
EventID2eq 24104, 4624
ParentImage1eq 1C:\Windows\System32\lxss\wslhost.exe
Protocol1eq 1udp

Top indicator values (120 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Initiatedeqtrue340
SourcePorteq338933
DestinationPorteq338923
Imageends_with\thor.exe27
Imageends_with\thor64.exe26
CommandLinematch -R 24
LogonTypeeq1024
src_ipeq::125
Imageends_with\svchost.exe220
OriginalFileNameeqmstsc.exe14
ParentImageeqC:\Windows\System32\lxss\wslhost.exe12
CommandLinematch /v:1
CommandLinematchC:\ProgramData\Microsoft\WSL\wslg.rdp12
Imageends_with\mstsc.exe15
Imageends_with\Avast Software\Avast\AvastSvc.exe1
ImageeqC:\Program Files\TSplus\Java\bin\HTML5service.exe1
Imageends_with\FSDiscovery.exe1
Imageends_with\RemoteDesktopManagerFree.exe1
Imageends_with\RTSApp.exe1
Imageeq<unknown process>12

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 13 rules

Splunk 10 rules