Detect Remote Desktop Protocol in Google Chronicle
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). RDP is a common feature in Windows that allows interactive graphical sessions on remote systems. Threat actors including Kimsuky, INC Ransom, Volt Typhoon, Wizard Spider, BlackByte, Akira, and FIN7 have all leveraged RDP for lateral movement. Adversaries typically acquire credentials via Credential Access techniques, then use RDP to expand access to additional systems, deploy ransomware interactively, or establish persistence via Accessibility Features.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.001 Remote Desktop Protocol
- Canonical reference
- https://attack.mitre.org/techniques/T1021/001/
YARA-L Detection Query
rule rdp_lateral_movement_brute_force_t1021_001 {
meta:
author = "Detection Engineering"
description = "Detects RDP brute force (5+ failures) followed by successful login within 5 minutes — T1021.001 Remote Desktop Protocol lateral movement"
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1021.001"
severity = "HIGH"
priority = "HIGH"
false_positives = "Legitimate admin RDP to DCs, helpdesk remote support tools, PAW access patterns"
events:
$fail.metadata.event_type = "USER_LOGIN"
$fail.metadata.vendor_name = "Microsoft"
$fail.security_result.action = "BLOCK"
$fail.network.application_protocol = "RDP"
$fail.principal.ip = $src_ip
$fail.principal.ip != "127.0.0.1"
$fail.principal.ip != "::1"
not re.regex($fail.principal.ip, `^127\.`)
$succ.metadata.event_type = "USER_LOGIN"
$succ.metadata.vendor_name = "Microsoft"
$succ.security_result.action = "ALLOW"
$succ.network.application_protocol = "RDP"
$succ.principal.ip = $src_ip
match:
$src_ip over 5m
condition:
#fail >= 5 and #succ >= 1
}
rule rdp_sensitive_host_or_privileged_account_t1021_001 {
meta:
author = "Detection Engineering"
description = "Detects successful RDP logon to a sensitive host (DC/PDC) or by a privileged/service account — T1021.001 Remote Desktop Protocol"
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1021.001"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "USER_LOGIN"
$e.metadata.vendor_name = "Microsoft"
$e.security_result.action = "ALLOW"
$e.network.application_protocol = "RDP"
$e.principal.ip != "127.0.0.1"
$e.principal.ip != "::1"
not re.regex($e.principal.ip, `^127\.`)
(
re.regex($e.target.hostname, `(?i)(^dc|dc01|pdc|domain[-_]controller)`) or
re.regex($e.target.user.userid, `(?i)(admin|administrator|svc_|service)`)
)
condition:
$e
}Two Google Chronicle YARA-L 2.0 rules for T1021.001 detection. Rule 1 uses a match-over-time sequence: detects 5+ blocked RDP USER_LOGIN events from the same source IP followed by at least one allowed RDP USER_LOGIN within a 5-minute window — indicating brute force leading to compromise. Rule 2 is a point-in-time filter detecting any successful RDP logon targeting hosts with DC/PDC naming patterns or accounts matching admin/service conventions. Both rules exclude loopback source IPs and rely on UDM network.application_protocol = RDP normalisation.
Data Sources
Required Tables
False Positives & Tuning
- Automated provisioning systems that retry RDP connections and may generate multiple BLOCK events before successful authentication during system initialisation.
- Legitimate domain administrators with accounts matching naming patterns (e.g., 'svc_backup') performing scheduled RDP maintenance on domain controllers.
- Third-party PAM (Privileged Access Management) solutions that proxy RDP sessions and authenticate from a fixed jump-server IP, generating high-volume logon events.
Other platforms for T1021.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Connection to Remote Host
Expected signal: Sysmon Event ID 1: Process Create with Image=mstsc.exe, CommandLine='/v:127.0.0.1 /admin'. Sysmon Event ID 3: Network Connection to port 3389. Security Event ID 4624 (LogonType=10) on the target if RDP is enabled. Event ID 1149 in TerminalServices-RemoteConnectionManager log.
- Test 2Enable RDP and Create RDP-Accessible User
Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections. Sysmon Event ID 1 (Process Create) for net.exe with 'Remote Desktop Users' in command line. Security Event ID 4732 (member added to security-enabled local group). Security Event ID 4657 (registry value modified).
- Test 3Simulate RDP Brute Force (Authentication Failures)
Expected signal: Security Event ID 4625 (Logon Failure, LogonType=10) for each failed attempt. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Event ID 261. After 6 failures, detection threshold should fire.
- Test 4RDP Tunnel via NetSH Port Proxy
Expected signal: Sysmon Event ID 1: Process Create for netsh.exe with 'portproxy' and 'add' in command line. Registry change at HKLM\SYSTEM\CurrentControlSet\Services\PortProxy. Security Event ID 4688 for netsh.exe. Sysmon Event ID 12/13 for registry modification.
References (8)
- https://attack.mitre.org/techniques/T1021/001/
- https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-securityevent-table
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md
- https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/
- https://www.mandiant.com/resources/blog/fin12-ransomware-intrusion-actor-partnering-trickbot
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Unlock Pro Content
Get the full detection package for T1021.001 including response playbook, investigation guide, and atomic red team tests.