Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
Atomic Test #2 - Changing RDP Port to Non Standard Port via Powershell
Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt
Attempt an RDP session via Remote Desktop Application to a DomainController.
Supported Platforms: Windows
auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
| Name | Description | Type | Default Value | |——|————-|——|—————| | logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart(“\”)| | domain | domain argument default %USERDOMAIN% | string | $Env:USERDOMAIN| | username | Username argument default %username% | string | $ENV:USERNAME| | password | Password | string | 1password2!|
1
powershell
1
2
3
4
5
6
$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"
1
2
$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
1
powershell
1
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
1
Write-Host Joining this computer to a domain must be done manually
Changing RDP Port to Non Standard Port via Powershell
Supported Platforms: Windows
auto_generated_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
| Name | Description | Type | Default Value | |——|————-|——|—————| | OLD_Remote_Port | Default RDP Listening Port | string | 3389| | NEW_Remote_Port | New RDP Listening Port | string | 4489|
1
powershell
1
2
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}
1
2
3
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction Ignore
Get-Service TermService | Restart-Service -Force -ErrorAction Ignore
Changing RDP Port to Non Standard Port via Command_Prompt
Supported Platforms: Windows
auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
| Name | Description | Type | Default Value | |——|————-|——|—————| | OLD_Remote_Port | Default RDP Listening Port | string | 3389| | NEW_Remote_Port | New RDP Listening Port | string | 4489|
1
command_prompt
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
net stop TermService /y >nul 2>&1
net start TermService >nul 2>&1
Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
Supported Platforms: Windows
auto_generated_guid: 01d1c6c0-faf0-408e-b368-752a02285cb2
| Name | Description | Type | Default Value | |——|————-|——|—————| | Default_UserAuthentication | Default UserAuthentication registry value | string | 1|
1
command_prompt
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication} /t REG_DWORD -f >nul 2>&1