ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: PR026
  • Created: 29th April 2025
  • Updated: 23rd October 2025
  • Platform: Windows
  • MITRE ATT&CK®: T1219.002T1021.001
  • Contributor: The ITM Team

Remote Desktop (RDP)

The subject initiates configuration or usage of Remote Desktop Protocol (RDP) to enable remote control of an endpoint or server, typically for purposes not sanctioned by the organization. This activity may include enabling RDP settings through system configuration, altering firewall rules, adding users to RDP groups, or initiating browser-based remote access sessions. While RDP is commonly used for legitimate administrative and support purposes, its unauthorized configuration is a well-documented preparatory behavior preceding data exfiltration, sabotage, or persistent unauthorized access.

 

RDP can be enabled through local system settings, remote management tools, or even web-based services that proxy or tunnel RDP traffic through HTTPS. Subjects may configure RDP access for themselves, for a secondary device, or to facilitate third-party (external) involvement in insider threat activities.

Subsections (2)

ID Name Description
PR026.001Remote Desktop (RDP) Access on Windows Systems

The subject initiates configuration changes to enable Remote Desktop Protocol (RDP) or Remote Assistance on a Windows system, typically through the System Properties dialog, registry modifications, or local group policy. This behavior may indicate preparatory actions to grant unauthorized remote access to the endpoint, whether to an external actor, co-conspirator, or secondary account.

 

Characteristics

Subject opens the Remote tab within the System Properties dialog (SystemPropertiesRemote.exe) and enables:

  • Remote Assistance
    Remote Desktop

 

May configure additional RDP-related settings such as:

  • Allowing connections from any version of RDP clients (less secure)
    Adding specific users to the Remote Desktop Users group
    Modifying Group Policy to allow RDP access

 

Often accompanied by:

  • Firewall rule changes to allow inbound RDP (TCP 3389)
    Creation of local accounts or service accounts with RDP permissions
    Disabling sleep, lock, or idle timeout settings to keep the system continuously accessible

 

In some cases, used to stage access prior to file exfiltration, remote control handoff, or backdoor persistence.

 

Example Scenario

A subject accesses the Remote tab via SystemPropertiesRemote.exe and enables Remote Desktop, selecting the “Allow connections from computers running any version of Remote Desktop” option. They add a personal email-based Microsoft account to the Remote Desktop Users group. No help desk ticket or change request is submitted. Over the following days, successful RDP logins are observed from an IP address outside of corporate VPN boundaries, correlating with a data transfer spike.

PR026.002Remote Desktop Web Access

The subject initiates or configures access to a system using Remote Desktop or Remote Assistance via a web browser interface, often through third-party tools or services (e.g., LogMeIn, AnyDesk, Chrome Remote Desktop, Microsoft RD Web Access). This behavior may indicate preparatory actions to facilitate unauthorized remote access, either for a co-conspirator, a secondary device, or future remote exfiltration. Unlike traditional RDP clients, browser-based remote access methods may bypass endpoint controls and often operate over HTTPS, making detection more difficult with traditional monitoring.

 

This method may be used when traditional RDP clients are blocked or monitored, or when the subject intends to evade installed software policies and gain access through externally hosted portals. While some web-based tools require agents to be installed on the target machine, others permit remote viewing or interaction without full installation, particularly when configured in advance.