MITRE ATT&CK

RDP is a Microsoft protocol built into Windows for remote administration, enabling a user to access and control another system via a graphical interface. It’s widely enabled in enterprise environments, making its traffic generally considered legitimate.

How Attackers Use It

• Lateral Movement: Attackers exploit RDP to pivot from one compromised system to another, leveraging its ubiquity and the fact that RDP traffic blends in with regular administrative activities.
• Stealth & Legitimacy: Since RDP is a legitimate tool, its use can go unnoticed by defenders—attackers can move laterally without raising immediate suspicion.

Detection

⭐ Important Windows Event Logs

• Event ID 4688: On source systems, this event logs the execution of the RDP client process (mstsc.exe).

• Event ID 4624: On target systems, this log captures successful authentications (look for Logon Type 10 indicating an RDP login).

  

• Event IDs 4778 & 4779: These record RDP session reconnects and disconnects, helping trace the source machine name and IP address.

⭐ Important Sysmon Event IDs

• Event ID 1 (Process Creation): Can capture RDP client (mstsc.exe) and related process executions (rdpclip.exe, tstheme.exe) on both source and target systems.

Threat Hunting

• Correlate Logs: Compare event logs from both source (e.g., mstsc.exe execution via event ID 4688) and target (RDP logon via event ID 4624) machines.

• Identify Anomalies:

  Check for RDP sessions outside of normal business hours, from unusual source machines, or involving atypical accounts.

• Artifact Review: Supplement event log analysis with additional forensic artifacts (e.g., Prefetch files, Jumplists, Terminal Server Client Registry keys) to build a comprehensive timeline of the RDP session.