AN0750: Analytic 0750
Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections.
Analyst context for executives and security teams
This analytic matters because it focuses on a common post-logon risk pattern on Windows: a user account signs in through RDP or WMI and is then associated with unusual command execution, file activity, or lateral network connections. For leaders, the decision value is whether remote administration activity can be separated from suspicious account misuse quickly enough to support containment decisions.
Executive priority
Prioritize this as a validation item for Windows remote access monitoring and incident response readiness. The key business question is not just whether RDP or WMI use is logged, but whether the SOC can identify when that access is followed by behavior that is uncommon for the user, host, or administrative workflow. This supports resilience, privileged access oversight, and audit evidence for remote administration controls.
Technical view
SOC and detection teams should validate correlation across Windows logon events, RDP or WMI access indicators, process execution, file manipulation, and network connection telemetry. Because the official analytic does not provide a detection rule, teams should define what “uncommon” means locally, such as rare commands, unusual parent-child process activity, unexpected file writes, or new lateral connections after remote logon. Baselines should account for legitimate administrators, management tools, service accounts, and scheduled maintenance.
Likely telemetry
- Windows logon and authentication events showing RDP or WMI access
- Process creation telemetry for command execution after logon
- File creation, modification, deletion, or rename activity on Windows hosts
- Network connection telemetry showing lateral connections after remote access
- Account, host, and time-of-day context for user behavior baselining
Detection direction
- Correlate RDP or WMI logon by a user account with subsequent uncommon command execution, file manipulation, or lateral network connections on the same host or related hosts.
- Tune baselines by user, host role, administrative group, and maintenance window to reduce false positives from normal IT operations.
- Validate visibility gaps around WMI activity, remote logons, process command-line capture, and endpoint-to-endpoint network connections.
- Treat alerts as triage leads requiring context, because the supplied ATT&CK object provides an analytic description but no official detection logic or thresholds.
- Review whether privileged and service accounts have distinct baselines, since legitimate administrative activity can resemble suspicious lateral movement behavior.
Mitigation priorities
- Ensure Windows remote access paths such as RDP and WMI are governed, logged, and limited to authorized users and hosts.
- Strengthen account controls for users able to perform remote administration, including least privilege and periodic access review.
- Improve endpoint logging coverage for process creation, file activity, and network connections so the analytic can be validated with evidence.
- Document approved remote administration patterns to help the SOC distinguish routine operations from uncommon behavior.
- Use incident response playbooks that quickly confirm account legitimacy, host scope, and whether lateral connections occurred after the remote logon.
Analyst notes and limits
The object is a detection analytic for Windows with a concise behavior description and no supplied tactic, relationship context, or official detection logic. The practical value comes from validating correlation and baselining around RDP/WMI logons followed by unusual activity, not from deploying a complete MITRE-provided rule.
This take is limited to the supplied ATT&CK fields and external reference. It does not assert active exploitation, actor attribution, specific ATT&CK techniques, coverage quality, or detection effectiveness. Local telemetry, administrative practices, and account baselines are required to operationalize the analytic.
Analytic 0750
Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 70a34f98a367… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0750Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.