T1021.001
Remote Services: Remote Desktop Protocol
Description from ATT&CK
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.(Citation: Alperovitch Malware) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - RDP to DomainController
Attempt an RDP session via Remote Desktop Application to a DomainController.
Supported Platforms: windows
auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("\") |
| domain | domain argument default %USERDOMAIN% | String | $Env:USERDOMAIN |
| username | Username argument default %username% | String | $ENV:USERNAME |
| password | Password | String | 1password2! |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"
Cleanup Commands:
1
2
3
$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
Dependencies: Run with powershell!
Description: Computer must be domain joined
Check Prereq Commands:
1
2
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
Get Prereq Commands:
1
2
Write-Host Joining this computer to a domain must be done manually
Atomic Test #2 - RDP to Server
Attempt an RDP session via Remote Desktop Application over Powershell
Supported Platforms: windows
auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| logonserver | ComputerName | String | WIN-DC |
| username | Username | String | Administrator |
| password | Password | String | 1password2! |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
$Server="#{logonserver}"
$User="#{username}"
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"
Cleanup Commands:
1
2
3
$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }