Windows Default RDP File Creation: endpointEndpoint2025-07-30version:1
This detection monitors the creation or modification of the Default.rdp file, typically found in the user's Documents folder. This file is automatically generated or updated by the Remote Desktop Connection client (mstsc.exe) when a user initiates an RDP session. It stores connection settings such as the last-used hostname, screen size, and other preferences. The presence or update of this file strongly suggests that an RDP session has been launched from the system. Since this file is commonly overlooked, it can serve as a valuable artifact in identifying remote access activity, including potential lateral movement or attacker-controlled sessions.
Windows RDP Login Session Was Established: endpointEndpoint2025-07-31version:1
The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only provided valid credentials but has also initiated a full interactive RDP session. It is a key indicator of successful remote access to a Windows system. When correlated with Event ID 1149, which logs RDP authentication success, this analytic helps distinguish between mere credential acceptance and actual session establishment—critical for effective monitoring and threat detection.
Windows RDP File Execution: endpointEndpoint2025-08-07version:6
The following analytic detects when a Windows RDP client attempts to execute an RDP file from a temporary directory, downloads directory, or Outlook directories. This detection is significant as it can indicate an attempt for an adversary to deliver a .rdp file, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network.
Windows Modify Registry Disable RDP: endpointEndpoint2025-08-01version:7
This analytic is developed to detect suspicious registry modifications that disable Remote Desktop Protocol (RDP) by altering the "fDenyTSConnections" key. Changing this key's value to 1 prevents remote connections, which can disrupt remote management and access. Such modifications could indicate an attempt to hinder remote administration or isolate the system from remote intervention, potentially signifying malicious activity.
Windows RDP Server Registry Deletion: endpointEndpoint2025-07-30version:1
This detection identifies the deletion of registry keys under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\, which store records of previously connected remote systems via Remote Desktop Protocol (RDP). These keys are created automatically when a user connects to a remote host using the native Windows RDP client (mstsc.exe) and can be valuable forensic artifacts for tracking remote access activity. Malicious actors aware of this behavior may delete these keys after using RDP to hide evidence of their activity and avoid detection during incident response. This form of artifact cleanup is a known defense evasion technique, often performed during or after lateral movement. Legitimate users rarely delete these keys manually, making such actions highly suspicious—especially when correlated with RDP usage, unusual logon behavior, or other signs of compromise. Detecting the deletion of these registry entries can provide crucial insight into attempts to cover tracks following interactive remote access.
Windows RDP Client Launched with Admin Session: endpointEndpoint2025-08-01version:2
This detection identifies the execution of the Windows Remote Desktop Client (mstsc.exe) with the "/v" and /admin command-line arguments. The "/v" flag specifies the remote host to connect to, while the /admin flag initiates a connection to the target system’s console session, often used for administrative purposes. This combination may indicate that a user or attacker is performing privileged remote access, potentially to manage a system without disrupting existing user sessions. While such usage may be legitimate for IT administrators, it is less common in typical user behavior. Threat actors may abuse this capability during lateral movement to maintain stealthy access to high-value systems. Monitoring for this pattern can help detect interactive hands-on-keyboard activity, privilege abuse, or attempts to access critical infrastructure without leaving typical login traces associated with non-admin RDP sessions.
Remote Desktop Network Traffic: networkEndpoint2025-08-07version:13
The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker's attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss.
Windows Default Rdp File Deletion: endpointEndpoint2025-07-30version:1
This detection identifies the deletion of the Default.rdp file from a user’s Documents folder. This file is automatically created or updated by the Remote Desktop Connection client (mstsc.exe) whenever a user initiates an RDP session. It contains session configuration data, such as the remote hostname and display settings. While the presence of this file is normal during legitimate RDP usage, its deletion may indicate an attempt to conceal evidence of remote access activity. Threat actors and red team operators often remove Default.rdp as part of post-access cleanup to evade forensic detection. Detecting this action—especially when correlated with recent RDP activity—can help identify defense evasion techniques and uncover potentially malicious use of remote desktop connections. Monitoring for this file's deletion adds an important layer of visibility into user behavior and can serve as an early indicator of interactive attacker presence.
Windows MSTSC RDP Commandline: endpointEndpoint2025-08-01version:3
The following analytic detects the use of the mstsc.exe command-line, which is commonly used to initiate Remote Desktop Protocol (RDP) connections. This detection focuses on instances where mstsc.exe is executed with specific parameters that may indicate suspicious or unauthorized remote access attempts. Monitoring command-line arguments such as /v:<target> for direct connections or /admin for administrative sessions can help identify potential misuse or lateral movement within a network.
Windows RDP Bitmap Cache File Creation: endpointEndpoint2025-07-30version:1
This detection identifies the creation of Remote Desktop Protocol (RDP) bitmap cache files on a Windows system, typically located in the user’s profile under the Terminal Server Client cache directory. These files (*.bmc, cache*.bin) are generated when a user initiates an RDP session using the built-in mstsc.exe client. Their presence can indicate interactive remote access activity and may be useful in detecting lateral movement or unauthorized RDP usage. Monitoring this behavior is especially important, as attackers may attempt to delete or suppress these artifacts to evade forensic analysis.
Windows RDP Server Registry Entry Created: endpointEndpoint2025-07-30version:1
This detection identifies the creation of registry keys under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\, which occur when a user initiates a Remote Desktop Protocol (RDP) connection using the built-in Windows RDP client (mstsc.exe). These registry entries store information about previously connected remote hosts, including usernames and display settings. Their creation is a strong indicator that an outbound RDP session was initiated from the system. While the presence of these keys is normal during legitimate RDP use, their appearance can be used to track remote access activity, especially in environments where RDP is tightly controlled. In post-compromise scenarios, these artifacts may be created by threat actors using RDP for lateral movement or command-and-control. Monitoring the creation of these registry entries can help defenders detect initial use of RDP from a compromised host, particularly when correlated with unusual user behavior, logon patterns, or network activity.
Windows RDPClient Connection Sequence Events: endpointEndpoint2025-08-07version:5
This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.
Windows Remote Services Rdp Enable: endpointEndpoint2025-08-01version:8
The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "fDenyTSConnections" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.
Windows Remote Desktop Network Bruteforce Attempt: networkEndpoint2025-08-01version:5
The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
Windows Remote Services Allow Rdp In Firewall: endpointEndpoint2025-08-01version:8
The following analytic detects modifications to the Windows firewall to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "netsh.exe" to allow TCP port 3389. This activity is significant as it may indicate an adversary attempting to gain remote access to a compromised host, a common tactic for lateral movement. If confirmed malicious, this could allow attackers to remotely control the system, leading to potential data exfiltration or further network compromise.
Enable RDP In Other Port Number: endpointEndpoint2025-08-07version:14
The following analytic detects modifications to the registry that enable RDP on a machine using a non-default port number. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" and the "PortNumber" value. This activity is significant as attackers often modify RDP settings to facilitate lateral movement and maintain remote access to compromised systems. If confirmed malicious, this could allow attackers to bypass network defenses, gain persistent access, and potentially control the compromised machine.
Windows Service Create with Tscon: endpointEndpoint2025-08-01version:11
The following analytic detects potential RDP Hijacking attempts by identifying the creation of a Windows service using sc.exe with a binary path that includes tscon.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant as it indicates an attacker may be trying to hijack a disconnected RDP session, posing a risk of unauthorized access. If confirmed malicious, the attacker could gain control over an existing user session, leading to potential data theft or further system compromise.
Windows Remote Service Rdpwinst Tool Execution: endpointEndpoint2025-08-01version:9
The following analytic detects the execution of the RDPWInst.exe tool, which is an RDP wrapper library used to enable remote desktop host support and concurrent RDP sessions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and specific command-line arguments. This activity is significant because adversaries can abuse this tool to establish unauthorized RDP connections, facilitating remote access and potential lateral movement within the network. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and further compromise of the targeted host.
Windows RDP Connection Successful: endpointEndpoint2025-08-08version:8
The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.
Windows Rdp AutomaticDestinations Deletion: endpointEndpoint2025-07-30version:1
This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.
Windows RDP Cache File Deletion: endpointEndpoint2025-07-30version:1
This detection identifies the deletion of RDP bitmap cache files—specifically .bmc and .bin files—typically stored in the user profile under the Terminal Server Client\Cache directory. These files are created by the native Windows Remote Desktop Client (mstsc.exe) and store graphical elements from remote sessions to improve performance. Deleting these files may indicate an attempt to remove forensic evidence of RDP usage. While rare in legitimate user behavior, this action is commonly associated with defense evasion techniques used by attackers or red teamers who wish to hide traces of interactive remote access. When observed in conjunction with recent logon activity, RDP session indicators, or script execution, this behavior should be treated as potentially malicious. Monitoring for deletion of these files provides valuable visibility into anti-forensic actions that often follow lateral movement or hands-on-keyboard activity.
Remote Desktop Process Running On System: endpointEndpoint2025-08-07version:12
The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise.
Windows Default Rdp File Unhidden: endpointEndpoint2025-07-30version:1
This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is initiated using mstsc.exe. The Default.rdp file stores session configuration details such as the remote host address and screen settings. Unhiding this file is uncommon in normal user behavior and may indicate that an attacker or red team operator is attempting to access or manipulate RDP connection history that was previously hidden—either by default or as part of an earlier anti-forensics effort. This activity may represent part of a broader pattern of reconnaissance or staging for credential reuse, lateral movement, or forensic analysis evasion. Monitoring for this behavior can help uncover suspicious manipulation of user artifacts and highlight interactive attacker activity on a compromised host.
