Remote Services: Remote Desktop Protocol

Description

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanSMBWindows ServicesPlugin ID: 44401
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanWMILocal Users, Groups and Group membershipPlugin ID: 71246
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanOS CommandComputer ConnectivityPlugin ID: 64582
Tenable.ioAD starter or Identity scanActive DirectoryStandard AD UserLDAPDomain Users and Groups

References

Nessus Plugins:Enumerate Local Group Memberships

Microsoft Windows SMB Service Config Enumeration

Netstat Connection Information

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Lateral Movement

Technique: Remote Services

Platform: Windows

Products Required: Tenable.io

Tenable Release Date: 2022 Q3