AN0931: Analytic 0931
Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe.
Analyst context for executives and security teams
This analytic is a practical post-logon monitoring concept for Windows environments: after a Remote Desktop (RDP) sign-in, look for unusual process execution, file access, or lateral movement in a short time window. Its value is not just detecting RDP use, which may be legitimate, but helping teams distinguish routine remote administration from activity that may require rapid investigation.
Executive priority
RDP is commonly used for administration and remote access, so business risk depends on whether the organization can prove who used it, from where, and what happened immediately afterward. Leaders should ask whether Windows logon activity, endpoint process activity, file access, and lateral movement evidence are retained and correlated well enough to support incident response, access reviews, and audit evidence after a suspicious remote session.
Technical view
For SOC and detection engineering teams, validate whether Windows RDP logon events can be correlated with endpoint activity in a short timeframe for the same user and host. The analytic should focus on deviations after RDP authentication: unusual child or follow-on processes, unexpected access to sensitive files or shares, and signs of movement to other systems. Because no official detection logic is supplied, local baselining is required to define what is unusual for administrators, help desk users, service accounts, and business users.
Likely telemetry
- Windows logon events indicating RDP or remote interactive sessions
- User, source, destination, and timestamp context for remote logons
- Endpoint process creation telemetry on Windows hosts
- File access telemetry for local paths, network shares, or sensitive repositories where available
- Network connection or authentication telemetry showing possible lateral movement after the RDP session
Detection direction
- Correlate RDP logon activity with process execution, file access, and follow-on authentication or connection activity within a defined short timeframe.
- Baseline normal RDP behavior by role, host type, and user group to reduce false positives from legitimate administration.
- Prioritize alerts where RDP is followed by rare processes, access to sensitive locations, or connections to additional internal systems.
- Tune separately for privileged users and administrative jump hosts, where RDP may be normal but post-logon behavior still needs scrutiny.
- Watch for telemetry gaps: RDP logons without endpoint process data, file access visibility, or lateral movement evidence will limit the analytic’s value.
Mitigation priorities
- Confirm RDP exposure and usage are governed by access policy, least privilege, and documented administrative workflows.
- Ensure identity controls can distinguish normal remote administration from unusual user, host, or timing patterns.
- Centralize Windows logon, endpoint process, file access, and authentication telemetry needed for correlation.
- Apply stronger monitoring and review for privileged accounts and systems commonly accessed through RDP.
- Use findings from this analytic to inform incident response playbooks for suspicious remote sessions, including account review, host triage, and lateral movement scoping.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique entry. It is specific to Windows and describes suspicious activity following RDP logon, but it does not provide tactics, relationships, or official detection logic. The strongest defensive value comes from correlation and baselining rather than treating RDP use alone as suspicious.
The supplied ATT&CK fields do not include relationship context, associated techniques, procedure examples, data components, mitigations, or detailed detection pseudocode. Any assessment of severity, active exploitation, attribution, or detection coverage requires local environment data and cannot be inferred from this object alone.
Analytic 0931
Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 77426c2c5369… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0931Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.