Detections
- Home
- - Detections
- -DT120
- ID: DT120
- Created: 29th April 2025
- Updated: 30th April 2025
- Platform: Windows
- Contributor: The ITM Team
Modification of RDP Registry Keys
Monitor for changes to critical Windows Registry keys responsible for controlling Remote Desktop Protocol (RDP) functionality. Unauthorized changes may indicate an insider preparing systems for unauthorized remote access.
Detection Methods
- Enable auditing of registry key changes through Windows Advanced Audit Policy (Event ID 4657).
- Monitor the specific key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections.
- Alert when the value is changed from 1 (RDP disabled) to 0 (RDP enabled).
- Track changes to firewall configurations permitting inbound TCP traffic on port 3389.
Indicators
- Registry modifications enabling RDP on systems without associated change requests.
- Modifications made by users without administrative responsibilities.
- Creation of new firewall rules allowing inbound RDP connections on unauthorized systems.
Sections
ID | Name | Description |
---|---|---|
PR026 | Remote Desktop (RDP) | The subject initiates configuration or usage of Remote Desktop Protocol (RDP) to enable remote control of an endpoint or server, typically for purposes not sanctioned by the organization. This activity may include enabling RDP settings through system configuration, altering firewall rules, adding users to RDP groups, or initiating browser-based remote access sessions. While RDP is commonly used for legitimate administrative and support purposes, its unauthorized configuration is a well-documented preparatory behavior preceding data exfiltration, sabotage, or persistent unauthorized access.
RDP can be enabled through local system settings, remote management tools, or even web-based services that proxy or tunnel RDP traffic through HTTPS. Subjects may configure RDP access for themselves, for a secondary device, or to facilitate third-party (external) involvement in insider threat activities. |
PR026.001 | Remote Desktop (RDP) Access on Windows Systems | The subject initiates configuration changes to enable Remote Desktop Protocol (RDP) or Remote Assistance on a Windows system, typically through the System Properties dialog, registry modifications, or local group policy. This behavior may indicate preparatory actions to grant unauthorized remote access to the endpoint, whether to an external actor, co-conspirator, or secondary account.
CharacteristicsSubject opens the Remote tab within the System Properties dialog (
May configure additional RDP-related settings such as:
Often accompanied by:
In some cases, used to stage access prior to file exfiltration, remote control handoff, or backdoor persistence.
Example ScenarioA subject accesses the Remote tab via SystemPropertiesRemote.exe and enables Remote Desktop, selecting the “Allow connections from computers running any version of Remote Desktop” option. They add a personal email-based Microsoft account to the Remote Desktop Users group. No help desk ticket or change request is submitted. Over the following days, successful RDP logins are observed from an IP address outside of corporate VPN boundaries, correlating with a data transfer spike. |