Skip to content

DET0327 Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity

Item Value
ID DET0327
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1021.001 (Remote Desktop Protocol)

Analytics

Windows

AN0931

Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4778, EventCode=4779
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TimeWindow Temporal threshold to correlate login with post-login activity (e.g., 5 minutes)
UserContext Tune for non-admin users or service accounts expected to use RDP
ProcessList Define suspicious post-login processes such as cmd.exe, powershell.exe, certutil.exe
HostAccessPatterns Scope detection to uncommon or first-time access between source and destination hosts