T1021.001 - Remote Services: Remote Desktop Protocol
Description from ATT&CK (opens in a new tab)
Adversaries may use Valid Accounts (opens in a new tab) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features (opens in a new tab) or Terminal Services DLL (opens in a new tab) for Persistence.(Citation: Alperovitch Malware)
Atomic Tests
-
Atomic Test #2 - Changing RDP Port to Non Standard Port via Powershell
-
Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt
Atomic Test #1 - RDP to DomainController
Attempt an RDP session via Remote Desktop Application to a DomainController.
Supported Platforms: Windows
auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("\") |
| domain | domain argument default %USERDOMAIN% | string | $Env:USERDOMAIN |
| username | Username argument default %username% | string | $ENV:USERNAME |
| password | Password | string | 1password2! |
Attack Commands: Run with powershell!
$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"Cleanup Commands:
$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }Dependencies: Run with powershell!
Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manuallyAtomic Test #2 - Changing RDP Port to Non Standard Port via Powershell
Changing RDP Port to Non Standard Port via Powershell
Supported Platforms: Windows
auto_generated_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| OLD_Remote_Port | Default RDP Listening Port | string | 3389 |
| NEW_Remote_Port | New RDP Listening Port | string | 4489 |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}Cleanup Commands:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction Ignore
Get-Service TermService | Restart-Service -Force -ErrorAction IgnoreAtomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt
Changing RDP Port to Non Standard Port via Command_Prompt
Supported Platforms: Windows
auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| OLD_Remote_Port | Default RDP Listening Port | string | 3389 |
| NEW_Remote_Port | New RDP Listening Port | string | 4489 |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}Cleanup Commands:
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
net stop TermService /y >nul 2>&1
net start TermService >nul 2>&1Atomic Test #4 - Disable NLA for RDP via Command Prompt
Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ (opens in a new tab) See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 01d1c6c0-faf0-408e-b368-752a02285cb2
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| Default_UserAuthentication | Default UserAuthentication registry value | string | 1 |
Attack Commands: Run with command_prompt!
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /fCleanup Commands:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication} /t REG_DWORD -f >nul 2>&1