T1021.001 — Remote Desktop Protocol

Technique

T1021.001

Tactics

Lateral Movement

MISP citations

0

KEV CVEs mapped

2

Community rules

16

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1021/001

MITRE description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-53704
• CVE-2023-22952

Detection coverage

SigmaHQ community rules

• Hermetic Wiper TG Process Patterns (emerging-threats)
• OpenCanary - RDP New Connection Attempt (core)
• Publicly Accessible RDP Service (core)
• RDP Login from Localhost (core)
• Denied Access To Remote Desktop (core)
• RDP over Reverse SSH Tunnel WFP (core)
• Outbound RDP Connections Over Non-Standard Tools (core)
• RDP Over Reverse SSH Tunnel (core)
• RDP to HTTP or HTTPS Target Ports (core)
• New Remote Desktop Connection Initiated Via Mstsc.EXE (core)
• Suspicious Plink Port Forwarding (core)
• RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class (core)
• Potential Tampering With RDP Related Registry Keys Via Reg.EXE (core)
• Port Forwarding Activity Via SSH.EXE (core)
• User Added to Remote Desktop Users Group (core)
• Suspicious RDP Redirect Using TSCON (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.