Description
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.(Citation: Alperovitch Malware)
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (8)
AuditM1047
Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.
Limit Access to Resource Over NetworkM1035
Use remote desktop gateways.
Network SegmentationM1030
Do not leave RDP accessible from the internet. Enable firewall rules to block RDP traffic between network security zones within a network.
Operating System ConfigurationM1028
Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.(Citation: Windows RDP Sessions)
Disable or Remove Feature or ProgramM1042
Disable the RDP service if it is unnecessary.
User Account ManagementM1018
Limit remote user permissions if remote access is necessary.
Multi-factor AuthenticationM1032
Use multi-factor authentication for remote logins.(Citation: Berkley Secure)
Privileged Account ManagementM1026
Consider removing the local Administrators group from the list of groups allowed to log in through RDP.
Threat Groups (37)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used RDP for direct remote point-and-click access.(Citation: Netscout Stolen Pencil Dec 2018) |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used RDP to move laterally.(Citation: Cybereason INC Ransomware November 2023)(Citation: Hunt... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has moved laterally to the Domain Controller via RDP using a compromised account with domain adm... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has moved laterally throughout victim environments using RDP.(Citation: Mandiant Pulse Secure Update May... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunn... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) attempted to use RDP to move laterally.(Citation: Cymmetria Patchwork) |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used RDP for lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used RDP to exfiltrate files of interest.(Citation: Trend Micro Earth Kasha NOV 2024) |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has used RDP to access other hosts within victim networks.(Citation: Microsoft BlackByte 2023)(Cita... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used Remote Desktop Services to copy tools on targeted systems.(Citation: DFIR Report APT35 P... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used RDP for lateral movement and to deploy ransomware interactively.(Citation: CrowdStrike... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) leveraged stolen credentials to move laterally via RDP in victim environments.(Citation: Crowds... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used RDP to move laterally in victim environments.(Citation: CrowdStrike Carbon Spider August 2021) |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used RDP for lateral movement.(Citation: Mandiant_UNC2165) |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used RDP for lateral movement.(Citation: Group IB Silence Sept 2018) |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used remote desktop sessions for lateral movement.(Citation: SecureWorks August 2019) |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has used RDP during operations.(Citation: Novetta-Axiom) |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used Remote Desktop Protocol to conduct lateral movement.(Citation: Group IB Cobalt Aug 2017... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) has used RDP for lateral movement.(Citation: Cisco Akira Ransomware OCT 2024) |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can start a VNC-based remote desktop server and tunnel the connection through the already est... |
| S0262 | QuasarRAT | Tool | [QuasarRAT](https://attack.mitre.org/software/S0262) has a module for performing remote desktop access.(Citation: GitHub QuasarRAT)(Citation: Volexity... |
| S0350 | zwShell | Malware | [zwShell](https://attack.mitre.org/software/S0350) has used RDP for lateral movement.(Citation: McAfee Night Dragon) |
| S0434 | Imminent Monitor | Tool | [Imminent Monitor](https://attack.mitre.org/software/S0434) has a module for performing remote desktop access.(Citation: QiAnXin APT-C-36 Feb2019) |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) has the ability to control an infected PC using RDP.(Citation: Check Point Warzone Feb 2020) |
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) enables concurrent Remote Desktop Protocol (RDP) sessions.(Citation: FireEye CARBANAK June 2017) |
| S1187 | reGeorg | Malware | [reGeorg](https://attack.mitre.org/software/S1187) can be used to tunnel RDP connections.(Citation: Fortinet reGeorg MAR 2019) |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) has a plugin to perform RDP access.(Citation: Cylance Shaheen Nov 2018) |
| S0382 | ServHelper | Malware | [ServHelper](https://attack.mitre.org/software/S0382) has commands for adding a remote desktop user and sending RDP traffic to the attacker through a ... |
| S0461 | SDBbot | Malware | [SDBbot](https://attack.mitre.org/software/S0461) has the ability to use RDP to connect to victim's machines.(Citation: Proofpoint TA505 October 2019) |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can enable remote desktop on the victim's machine.(Citation: Github Koadic) |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) can support RDP control.(Citation: Kaspersky Adwind Feb 2016) |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) has a module for performing remote desktop access.(Citation: Fidelis njRAT June 2013)(Citation: Kaspe... |
| S0583 | Pysa | Malware | [Pysa](https://attack.mitre.org/software/S0583) has laterally moved using RDP connections.(Citation: CERT-FR PYSA April 2020) |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can enable/disable RDP connection and can start a remote desktop session using a browser web socket cl... |
| S0334 | DarkComet | Malware | [DarkComet](https://attack.mitre.org/software/S0334) can open an active screen of the victim’s machine and take control of the mouse and keyboard.(Cit... |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) has remote desktop functionality.(Citation: Talos ZxShell Oct 2014) |
References
- Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 17, 2024.
- Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.
Frequently Asked Questions
What is T1021.001 (Remote Desktop Protocol)?
T1021.001 is a MITRE ATT&CK technique named 'Remote Desktop Protocol'. It belongs to the Lateral Movement tactic(s). Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on...
How can T1021.001 be detected?
Detection of T1021.001 (Remote Desktop Protocol) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021.001?
There are 8 documented mitigations for T1021.001. Key mitigations include: Audit, Limit Access to Resource Over Network, Network Segmentation, Operating System Configuration, Disable or Remove Feature or Program.
Which threat groups use T1021.001?
Known threat groups using T1021.001 include: Kimsuky, INC Ransom, Volt Typhoon, APT5, OilRig, Patchwork, FIN8, MirrorFace.