T1021.001 Remote Desktop Protocol Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect suspicious RDP lateral movement patterns
let SensitiveHosts = dynamic(["dc", "domain-controller", "dc01", "pdc"]);
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 10  // RemoteInteractive = RDP
| extend TargetHost = tostring(Computer)
| extend SourceIP = tostring(IpAddress)
| where SourceIP !startswith "127." and SourceIP != "-" and SourceIP != ""
// Flag logons to sensitive hosts or from unexpected sources
| extend ToSensitiveHost = TargetHost has_any (SensitiveHosts)
| extend IsPrivilegedAccount = TargetUserName has_any ("admin", "administrator", "svc", "service")
// Join with logon failures to identify brute-force followed by success
| project TimeGenerated, Computer, TargetUserName, TargetDomainName, SourceIP, LogonType, SubjectUserName, ToSensitiveHost, IsPrivilegedAccount
| sort by TimeGenerated desc
| union (
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4625
    | where LogonType == 10
    | where IpAddress !startswith "127." and IpAddress != "-"
    | summarize FailureCount=count(), Accounts=make_set(TargetUserName) by IpAddress, bin(TimeGenerated, 5m)
    | where FailureCount >= 5
    | extend AlertType = "RDP BruteForce", Computer = "", TargetUserName = tostring(Accounts), SourceIP = IpAddress
    | project TimeGenerated, Computer, TargetUserName, SourceIP, FailureCount, AlertType
)

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation Network Traffic: Network Connection Creation Windows Security Event ID 4624 (Logon) Windows Security Event ID 4625 (Failed Logon)

Required Tables

SecurityEvent DeviceNetworkEvents

False Positives

IT administrators performing legitimate remote administration of servers and workstations via RDP
Help desk staff using RDP to support end users, especially from a central jump server or bastion host
Automated monitoring or patch management tools (e.g., SCCM) that connect via RDP for maintenance
VPN-connected remote workers whose source IP appears external to network monitoring systems
Vendor remote support sessions initiated under approved change tickets

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625) Logon_Type=10
| eval SourceIP=coalesce('Source_Network_Address', IpAddress)
| where SourceIP!="127.0.0.1" AND SourceIP!="::1" AND SourceIP!="-" AND SourceIP!=""
| eval EventType=if(EventCode==4624, "RDP_Success", "RDP_Failure")
| eval Account=coalesce('Target_Account_Name', TargetUserName)
| eval TargetHost=coalesce(ComputerName, host)
| eval SensitiveHost=if(match(lower(TargetHost), "(dc|domain.controller|pdc|exchange|sql)"), 1, 0)
| eval PrivAccount=if(match(lower(Account), "(admin|administrator|svc_|service)"), 1, 0)
| stats count as EventCount,
        values(EventType) as EventTypes,
        values(Account) as Accounts,
        dc(Account) as UniqueAccounts,
        values(TargetHost) as TargetHosts,
        max(SensitiveHost) as HitSensitiveHost,
        max(PrivAccount) as PrivAccountUsed
  by SourceIP, _time span=5m
| where EventCount >= 3 OR HitSensitiveHost=1 OR PrivAccountUsed=1
| eval RiskScore=EventCount + (HitSensitiveHost * 10) + (PrivAccountUsed * 5) + (UniqueAccounts * 2)
| sort - RiskScore

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation Windows Security Event ID 4624 (Logon) Windows Security Event ID 4625 (Failed Logon)

Required Sourcetypes

WinEventLog:Security

False Positives

IT administrators performing legitimate remote administration of servers and workstations via RDP
Help desk staff using RDP to support end users from a central jump server
Automated monitoring or patch management tools that connect via RDP
VPN-connected remote workers whose IPs appear external
Vendor remote support sessions with approved change tickets

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=5m
  [authentication where event.provider == "Microsoft-Windows-Security-Auditing"
   and event.code == "4625"
   and winlog.event_data.LogonType == "10"
   and source.ip != null
   and source.ip != "127.0.0.1"
   and source.ip != "::1"
   and source.ip != "-"] with runs=5
  [authentication where event.provider == "Microsoft-Windows-Security-Auditing"
   and event.code == "4624"
   and winlog.event_data.LogonType == "10"
   and source.ip != null
   and source.ip != "127.0.0.1"
   and source.ip != "::1"]

// Supplemental filter query for sensitive host and privileged account RDP access:
// authentication where event.provider == "Microsoft-Windows-Security-Auditing"
//   and event.code == "4624"
//   and winlog.event_data.LogonType == "10"
//   and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"
//   and (
//     wildcard(host.name, "*dc*", "*pdc*", "*dc01*", "*domain-controller*")
//     or wildcard(user.name, "*admin*", "*administrator*", "*svc*", "*service*")
//   )

high severity high confidence

Data Sources

Windows Security Event Log (winlogbeat or Elastic Agent) Elastic Endpoint Security

Required Tables

logs-system.security-* winlogbeat-* .ds-logs-system.security-*

False Positives

Legitimate IT administrators using RDP to manage domain controllers or servers — particularly during patch windows or incident response.
Remote support tools (e.g., helpdesk software) that authenticate via RDP and may trigger repeated logon attempts before success.
Automated monitoring or backup agents configured to use RDP with service accounts that match privileged account name patterns.

IBM QRadar (AQL)

sql

-- Brute force: 5+ RDP failures per source IP per 5-minute window
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm', 'UTC') AS EventWindow,
  sourceip AS SourceIP,
  destinationip AS TargetHost,
  username AS Account,
  COUNT(*) AS FailureCount,
  MIN(DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss', 'UTC')) AS FirstSeen,
  MAX(DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss', 'UTC')) AS LastSeen
FROM events
WHERE LOGSOURCETYPEID = 12
  AND QIDNAME(qid) LIKE '%4625%'
  AND CATEGORYNAME(category) = 'Authentication'
  AND sourceip IS NOT NULL
  AND sourceip NOT LIKE '127.%'
  AND sourceip != '::1'
  AND sourceip != '-'
  AND "Logon Type" = '10'
GROUP BY
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm', 'UTC'),
  sourceip,
  destinationip,
  username
HAVING FailureCount >= 5
LAST 1440 MINUTES
ORDER BY FailureCount DESC

UNION

-- Successful RDP to sensitive hosts or by privileged accounts
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss', 'UTC') AS EventWindow,
  sourceip AS SourceIP,
  destinationip AS TargetHost,
  username AS Account,
  1 AS FailureCount,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss', 'UTC') AS FirstSeen,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss', 'UTC') AS LastSeen
FROM events
WHERE LOGSOURCETYPEID = 12
  AND QIDNAME(qid) LIKE '%4624%'
  AND CATEGORYNAME(category) = 'Authentication'
  AND sourceip IS NOT NULL
  AND sourceip NOT LIKE '127.%'
  AND sourceip != '::1'
  AND "Logon Type" = '10'
  AND (
    LOWER(destinationhostname) MATCHES '(.*dc.*|.*pdc.*|.*dc01.*|.*domain.controller.*)'
    OR LOWER(username) MATCHES '(.*admin.*|.*administrator.*|.*svc_.*|.*service.*)'
  )
LAST 1440 MINUTES
ORDER BY FirstSeen DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log via QRadar WinCollect or Syslog

Required Tables

events (LOGSOURCETYPEID = 12 — Microsoft Windows Security Event Log)

False Positives

Legitimate jump-box or bastion host administrators who RDP into domain controllers as part of standard change management procedures.
IT helpdesk staff using accounts with 'admin' in the username prefix when remotely accessing end-user workstations for support.
Vulnerability scanners or asset management tools that perform authenticated RDP checks against multiple hosts, generating repeated logon events.

Sumo Logic CSE

sql

_sourceCategory=windows/security (EventCode=4624 OR EventCode=4625) Logon_Type=10
| parse regex "Source Network Address:\s+(?<SourceIP>[^\r\n]+)" nodrop
| parse regex "Account Name:\s+(?<Account>[^\r\n]+)" as TargetAccount nodrop
| parse regex "Workstation Name:\s+(?<SourceHost>[^\r\n]+)" nodrop
| where SourceIP != "127.0.0.1"
  AND SourceIP != "::1"
  AND SourceIP != "-"
  AND SourceIP != ""
  AND !isNull(SourceIP)
| eval EventType = if(EventCode == "4624", "RDP_Success", "RDP_Failure")
| eval TargetHost = if(!isNull(Computer), Computer, host)
| eval SensitiveHost = if(matches(toLowerCase(TargetHost), ".*?(dc|pdc|dc01|domain.controller|exchange|sql).*"), 1, 0)
| eval PrivAccount = if(matches(toLowerCase(TargetAccount), ".*?(admin|administrator|svc_|service).*"), 1, 0)
| timeslice 5m
| stats count as EventCount,
        values(EventType) as EventTypes,
        values(TargetAccount) as Accounts,
        dcount(TargetAccount) as UniqueAccounts,
        values(TargetHost) as TargetHosts,
        max(SensitiveHost) as HitSensitiveHost,
        max(PrivAccount) as PrivAccountUsed
  by _timeslice, SourceIP
| where EventCount >= 3 OR HitSensitiveHost = 1 OR PrivAccountUsed = 1
| eval RiskScore = EventCount + (HitSensitiveHost * 10) + (PrivAccountUsed * 5) + (UniqueAccounts * 2)
| fields _timeslice, SourceIP, EventCount, EventTypes, Accounts, UniqueAccounts, TargetHosts, HitSensitiveHost, PrivAccountUsed, RiskScore
| sort by RiskScore desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Security Event Log via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows/security

False Positives

Automated configuration management tools (Ansible, SCCM) that use service accounts to RDP into managed systems during maintenance windows.
Remote workforce VPN users connecting to virtual desktops via RDP with accounts containing 'admin' naming conventions inherited from legacy policy.
Security operations staff using privileged admin workstations (PAWs) to RDP into servers as part of documented incident response procedures.

Google Chronicle / SecOps

yaral

rule rdp_lateral_movement_brute_force_t1021_001 {
  meta:
    author = "Detection Engineering"
    description = "Detects RDP brute force (5+ failures) followed by successful login within 5 minutes — T1021.001 Remote Desktop Protocol lateral movement"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021.001"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "Legitimate admin RDP to DCs, helpdesk remote support tools, PAW access patterns"

  events:
    $fail.metadata.event_type = "USER_LOGIN"
    $fail.metadata.vendor_name = "Microsoft"
    $fail.security_result.action = "BLOCK"
    $fail.network.application_protocol = "RDP"
    $fail.principal.ip = $src_ip
    $fail.principal.ip != "127.0.0.1"
    $fail.principal.ip != "::1"
    not re.regex($fail.principal.ip, `^127\.`)

    $succ.metadata.event_type = "USER_LOGIN"
    $succ.metadata.vendor_name = "Microsoft"
    $succ.security_result.action = "ALLOW"
    $succ.network.application_protocol = "RDP"
    $succ.principal.ip = $src_ip

  match:
    $src_ip over 5m

  condition:
    #fail >= 5 and #succ >= 1
}

rule rdp_sensitive_host_or_privileged_account_t1021_001 {
  meta:
    author = "Detection Engineering"
    description = "Detects successful RDP logon to a sensitive host (DC/PDC) or by a privileged/service account — T1021.001 Remote Desktop Protocol"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021.001"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.metadata.vendor_name = "Microsoft"
    $e.security_result.action = "ALLOW"
    $e.network.application_protocol = "RDP"
    $e.principal.ip != "127.0.0.1"
    $e.principal.ip != "::1"
    not re.regex($e.principal.ip, `^127\.`)
    (
      re.regex($e.target.hostname, `(?i)(^dc|dc01|pdc|domain[-_]controller)`) or
      re.regex($e.target.user.userid, `(?i)(admin|administrator|svc_|service)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs ingested via Chronicle forwarder or Google Cloud Pub/Sub UDM-normalised authentication events

Required Tables

UDM events — USER_LOGIN event type with RDP application protocol

False Positives

Automated provisioning systems that retry RDP connections and may generate multiple BLOCK events before successful authentication during system initialisation.
Legitimate domain administrators with accounts matching naming patterns (e.g., 'svc_backup') performing scheduled RDP maintenance on domain controllers.
Third-party PAM (Privileged Access Management) solutions that proxy RDP sessions and authenticate from a fixed jump-server IP, generating high-volume logon events.

CrowdStrike LogScale (CQL)

cql

// RDP brute force detection: 5+ failures per source IP per 5-minute bucket
#event_simpleName=UserLogonFailed2 LogonType=10
| where RemoteIP != "127.0.0.1"
  and RemoteIP != "::1"
  and RemoteIP != "-"
  and isNotNull(RemoteIP)
| bucket(span=5min, field=[@timestamp], as=TimeBucket)
| groupBy([RemoteIP, ComputerName, TimeBucket], function=[
    count(as=FailureCount),
    collect(UserName, limit=20, as=AttemptedAccounts)
  ])
| where FailureCount >= 5
| eval AlertType = "RDP_BruteForce"
| sort(FailureCount, order=desc)

// Successful RDP logon to sensitive host or by privileged account
// (run as a separate query and union results for alerting)
#event_simpleName=UserLogon LogonType=10
| where RemoteIP != "127.0.0.1"
  and RemoteIP != "::1"
  and RemoteIP != "-"
  and isNotNull(RemoteIP)
| eval SensitiveHost = if(match("(?i)(^dc|dc01|pdc|domain.controller)", ComputerName), "true", "false")
| eval PrivAccount = if(match("(?i)(admin|administrator|svc_|service)", UserName), "true", "false")
| where SensitiveHost = "true" or PrivAccount = "true"
| eval RiskScore = if(SensitiveHost = "true", 10, 0) + if(PrivAccount = "true", 5, 0)
| groupBy([RemoteIP, ComputerName, UserName, SensitiveHost, PrivAccount, RiskScore], function=[
    count(as=EventCount),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| eval AlertType = "RDP_SensitiveTarget"
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Data Replicator (FDR) CrowdStrike Falcon LogScale (Humio)

Required Tables

UserLogon (#event_simpleName=UserLogon) UserLogonFailed2 (#event_simpleName=UserLogonFailed2)

False Positives

IT administrators using CrowdStrike-monitored endpoints to RDP into domain controllers during incident response or routine maintenance — will trigger the sensitive host rule.
Password reset workflows where users fail authentication multiple times before successfully logging in via RDP, particularly after Active Directory password changes propagate.
Network Access Control (NAC) or endpoint compliance systems that perform periodic RDP health checks against servers, generating repeated logon events from a shared scanner IP.

Remote Desktop Protocol

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections