Keypoints
- Adversaries use valid credentials to authenticate over RDP and operate as the logged-on user.
- RDP provides a graphical interactive session, enabling hands-on control of remote systems.
- Credential theft and reuse are common precursors to RDP-based lateral movement.
- Persistence can be achieved by combining RDP with accessibility features or Terminal Services DLL modifications.
- Detection relies on correlating logon sessions, network connections, and post-login process activity.
Description:
- Like someone using a spare key to walk into an office and work from the CEOβs desk, attackers use stolen credentials to log into another userβs desktop and act with their privileges.
- Attackers authenticate to a remote Windows desktop via RDP/RDS using compromised or valid accounts, then perform interactive actions as that user to move laterally, run tools, transfer files, or establish persistence; this matters because it bypasses many network-only defenses and leverages legitimate channels to hide malicious activity.
Detection:
- Collect and alert on Logon Session Creation events (Windows Event IDs 4624/4778/4779) and correlate with unusual source IPs or hosts.
- Monitor network connection creation and flows for TCP/UDP sessions to RDP ports (default TCP 3389) and flag long or repeated connections from uncommon sources.
- Track account access patterns and alert when users log into systems they do not normally access or access many systems in a short window.
- Inspect process creation after RDP logons for suspicious tools, command shells, credential dumping, or lateral movement utilities; collect Sysmon/ETW process events for context.
- Use authentication telemetry (AD logs, RDS logs, VPN logs) and enrich with threat intelligence and geolocation to spot anomalous remote logins and impossible travel events.
- Watch for persistence indicators related to RDP: altered Terminal Services DLLs, accessibility feature modifications, changed RDP configuration, or unexpected service creations.
- Mitigate false positives by building baselines per user/role, excluding known jump hosts, and combining multiple signals (logon, network, process) before alerting.
Tactics:
Lateral Movement
Platforms:
Windows
Data Sources:
Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Relationship Citations:
(Citation: FireEye APT41 Aug 2019),(Citation: McAfee Night Dragon),(Citation: Cybereason Bumblebee August 2022),(Citation: DFIR Conti Bazar Nov 2021),(Citation: Nearest Neighbor Volexity),(Citation: Novetta Blockbuster),(Citation: CrowdStrike Grim Spider May 2019),(Citation: Cisco Akira Ransomware OCT 2024),(Citation: SecureWorks August 2019),(Citation: CERT-FR PYSA April 2020),(Citation: DFIR Report APT35 ProxyShell March 2022),(Citation: QiAnXin APT-C-36 Feb2019),(Citation: FireEye FIN10 June 2017),(Citation: apt41_dcsocytec_dec2022),(Citation: DFIR Ryuk 2 Hour Speed Run November 2020),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: Proofpoint TA505 Jan 2019),(Citation: FireEye APT39 Jan 2019),(Citation: Cylance Shaheen Nov 2018),(Citation: Fortinet reGeorg MAR 2019),(Citation: District Court of NY APT10 Indictment December 2018),(Citation: SentinelOne Agrius 2021),(Citation: Mandiant FIN12 Oct 2021),(Citation: SOCRadar INC Ransom January 2024),(Citation: GitHub Pupy),(Citation: Huntress INC Ransomware May 2024),(Citation: Check Point Warzone Feb 2020),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: Cymmetria Patchwork),(Citation: FireEye APT34 Webinar Dec 2017),(Citation: Volexity Patchwork June 2018),(Citation: Cybereason INC Ransomware November 2023),(Citation: PWC Cloud Hopper April 2017),(Citation: RedCanary Mockingbird May 2020),(Citation: CrowdStrike StellarParticle January 2022),(Citation: FireEye TRITON 2019),(Citation: aptsim),(Citation: US-CERT TA18-074A),(Citation: Crowdstrike GTR2020 Mar 2020),(Citation: Group IB Silence Sept 2018),(Citation: FireEye Know Your Enemy FIN8 Aug 2016),(Citation: FireEye APT40 March 2019),(Citation: Microsoft Albanian Government Attacks September 2022),(Citation: Cisco BlackByte 2024),(Citation: Costa AvosLocker May 2022),(Citation: Talos ZxShell Oct 2014),(Citation: Fidelis njRAT June 2013),(Citation: Twitter Cglyer Status Update APT3 eml),(Citation: Crowdstrike HuntReport 2022),(Citation: DFIR Phosphorus November 2021),(Citation: Unit42 Agrius 2023),(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020),(Citation: Novetta-Axiom),(Citation: FireEye FIN6 Apr 2019),(Citation: Kaspersky Adwind Feb 2016),(Citation: Group IB Cobalt Aug 2017),(Citation: Mandiant Pulse Secure Update May 2021),(Citation: Microsoft BlackByte 2023),(Citation: Huntress INC Ransom Group August 2023),(Citation: Volexity Ivanti Zero-Day Exploitation January 2024),(Citation: Mandiant_UNC2165),(Citation: Mandiant FIN13 Aug 2022),(Citation: GitHub QuasarRAT),(Citation: BitDefender Chafer May 2020),(Citation: FireEye FIN6 April 2016),(Citation: Github Koadic),(Citation: cobaltstrike manual),(Citation: Malwarebytes DarkComet March 2018),(Citation: Proofpoint TA505 October 2019),(Citation: Novetta Blockbuster RATs),(Citation: FireEye CARBANAK June 2017),(Citation: ClearSky Pay2Kitten December 2020),(Citation: FireEye PLA),(Citation: CrowdStrike Carbon Spider August 2021),(Citation: CISA Iran Albanian Attacks September 2022),(Citation: Symantec Crambus OCT 2023),(Citation: Unit42 OilRig Playbook 2023),(Citation: Netscout Stolen Pencil Dec 2018),(Citation: Cycraft Chimera April 2020),(Citation: Berkley Secure),(Citation: Windows RDP Sessions)