LoFP LoFP / t1021.001

t1021.001

TitleTags
administrative activity
administrative activity using a remote port forwarding to a local port
administrator may allow inbound traffic in certain network or machine.
administrator may remote desktop a spe
although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.
false positives may be present based on administrators using rdp files for legitimate purposes. filter as needed.
network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.
programs that connect locally to the rdp port
remote desktop may be used legitimately by users on the network.
third party rdp tools
this tool was designed for home usage and not commonly seen in production environment. filter as needed.
valid user was not added to rdp group
wsl (windows sub system for linux)