Detections
Analytics
Remote Services: Remote Desktop Protocol
Description
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Windows Services | Plugin ID: 44401 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Local Users, Groups and Group membership | Plugin ID: 71246 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | OS Command | Computer Connectivity | Plugin ID: 64582 |
| Tenable Identity Exposure | Active Directory | Standard AD User | LDAP | List of Domain Computers and Users | ||
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Users | Plugin ID: 167250 |
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Groups | Plugin ID: 167251 |
References
Enumerate Local Group Memberships
Microsoft Windows SMB Service Config Enumeration
Netstat Connection Information
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Lateral Movement
Technique: Remote Services
Sub-Technique: Remote Desktop Protocol
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2022 Q3