T1021.001 · lateral-movement · 33 actors · 8 correlated reports

Remote Desktop Protocol

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

Observed actors

Indrik Spider
G0119APT3
G0022Kimsuky
G0094Volt Typhoon
G1017Patchwork
G0040APT41
G0096Dragonfly
G0035menuPass
G0045FIN6
G0037FIN7
G0046APT39
G0087OilRig
G0049Aquatic Panda
G0143APT1
G0006Leviathan
G0065Blue Mockingbird
G0108APT29
G0016Chimera
G0114TEMP.Veles
G0088Axiom
G0001Agrius
G1030APT5
G1023Fox Kitten
G0117Lazarus Group
G0032INC Ransom
G1032Silence
G0091Cobalt Group
G0080Wizard Spider
G0102HEXANE
G1001Magic Hound
G0059FIN10
G0051FIN8
G0061FIN13
G1016

Correlated CTI and IR reports

UNC1860 and the Temple of Oats: Iran's Hidden Hand in Middle Eastern Networks
Google Cloud / Mandiant · direct source mappingATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionCTI Research Handala Hack Group aka Handala Hack Team
1200km Medium · authored report mentionCorrelation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mentionSingle Event Detection Rules in Cybersecurity
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research