LoFP
/
t1021.001
t1021.001
Title
Tags
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1562
t1562.001
t1572
t1615
linux
windows
sigma
administrative activity using a remote port forwarding to a local port
t1021
t1021.001
t1021.004
t1572
windows
sigma
administrator may allow inbound traffic in certain network or machine.
t1021.001
endpoint
splunk
administrator may remote desktop a spe
t1021.001
endpoint
splunk
although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.
t1021
t1021.001
zeek
sigma
false positives may be present based on administrators using rdp files for legitimate purposes. filter as needed.
t1021.001
T1598.002
endpoint
splunk
network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.
t1021.001
t1112
endpoint
splunk
programs that connect locally to the rdp port
t1021
t1021.001
t1090
t1090.001
t1090.002
windows
sigma
remote desktop may be used legitimately by users on the network.
t1021.001
endpoint
splunk
third party rdp tools
t1021
t1021.001
windows
sigma
this tool was designed for home usage and not commonly seen in production environment. filter as needed.
t1021.001
endpoint
splunk
valid user was not added to rdp group
t1021
t1021.001
windows
sigma
wsl (windows sub system for linux)
t1021
t1021.001
windows
sigma
LoFP
/
t1021.001