T1021.001 Splunk · SPL

Detect Remote Desktop Protocol in Splunk

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). RDP is a common feature in Windows that allows interactive graphical sessions on remote systems. Threat actors including Kimsuky, INC Ransom, Volt Typhoon, Wizard Spider, BlackByte, Akira, and FIN7 have all leveraged RDP for lateral movement. Adversaries typically acquire credentials via Credential Access techniques, then use RDP to expand access to additional systems, deploy ransomware interactively, or establish persistence via Accessibility Features.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.001 Remote Desktop Protocol
Canonical reference
https://attack.mitre.org/techniques/T1021/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625) Logon_Type=10
| eval SourceIP=coalesce('Source_Network_Address', IpAddress)
| where SourceIP!="127.0.0.1" AND SourceIP!="::1" AND SourceIP!="-" AND SourceIP!=""
| eval EventType=if(EventCode==4624, "RDP_Success", "RDP_Failure")
| eval Account=coalesce('Target_Account_Name', TargetUserName)
| eval TargetHost=coalesce(ComputerName, host)
| eval SensitiveHost=if(match(lower(TargetHost), "(dc|domain.controller|pdc|exchange|sql)"), 1, 0)
| eval PrivAccount=if(match(lower(Account), "(admin|administrator|svc_|service)"), 1, 0)
| stats count as EventCount,
        values(EventType) as EventTypes,
        values(Account) as Accounts,
        dc(Account) as UniqueAccounts,
        values(TargetHost) as TargetHosts,
        max(SensitiveHost) as HitSensitiveHost,
        max(PrivAccount) as PrivAccountUsed
  by SourceIP, _time span=5m
| where EventCount >= 3 OR HitSensitiveHost=1 OR PrivAccountUsed=1
| eval RiskScore=EventCount + (HitSensitiveHost * 10) + (PrivAccountUsed * 5) + (UniqueAccounts * 2)
| sort - RiskScore
high severity medium confidence

Detects suspicious RDP activity (LogonType=10) from Windows Security event logs. Aggregates success and failure events by source IP over 5-minute windows, calculates a risk score based on volume, sensitive host targeting, and privileged account usage. High risk scores indicate brute-force or credential-stuffing attempts.

Data Sources

Logon Session: Logon Session CreationWindows Security Event ID 4624 (Logon)Windows Security Event ID 4625 (Failed Logon)

Required Sourcetypes

WinEventLog:Security

False Positives & Tuning

  • IT administrators performing legitimate remote administration of servers and workstations via RDP
  • Help desk staff using RDP to support end users from a central jump server
  • Automated monitoring or patch management tools that connect via RDP
  • VPN-connected remote workers whose IPs appear external
  • Vendor remote support sessions with approved change tickets
Download portable Sigma rule (.yml)

Other platforms for T1021.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Connection to Remote Host

    Expected signal: Sysmon Event ID 1: Process Create with Image=mstsc.exe, CommandLine='/v:127.0.0.1 /admin'. Sysmon Event ID 3: Network Connection to port 3389. Security Event ID 4624 (LogonType=10) on the target if RDP is enabled. Event ID 1149 in TerminalServices-RemoteConnectionManager log.

  2. Test 2Enable RDP and Create RDP-Accessible User

    Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections. Sysmon Event ID 1 (Process Create) for net.exe with 'Remote Desktop Users' in command line. Security Event ID 4732 (member added to security-enabled local group). Security Event ID 4657 (registry value modified).

  3. Test 3Simulate RDP Brute Force (Authentication Failures)

    Expected signal: Security Event ID 4625 (Logon Failure, LogonType=10) for each failed attempt. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Event ID 261. After 6 failures, detection threshold should fire.

  4. Test 4RDP Tunnel via NetSH Port Proxy

    Expected signal: Sysmon Event ID 1: Process Create for netsh.exe with 'portproxy' and 'add' in command line. Registry change at HKLM\SYSTEM\CurrentControlSet\Services\PortProxy. Security Event ID 4688 for netsh.exe. Sysmon Event ID 12/13 for registry modification.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1021.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1078Valid AccountsT1110Brute ForceT1550.002Pass the HashT1546.008Accessibility FeaturesT1505.005Terminal Services DLLT1563Remote Service Session HijackingT1071.001Web ProtocolsT1572Protocol Tunneling

Same Tactic: Lateral Movement

Popular Detections