Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0327: Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity

DET0327 is a detection strategy focused on correlating RDP-based remote logins with activity that follows access. Its business value is that RDP sessions c...

EnterpriseDET0327Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0327 is a detection strategy focused on correlating RDP-based remote logins with activity that follows access. Its business value is that RDP sessions can represent legitimate administration or adversary lateral movement using valid accounts, so single-event alerting is often insufficient. Leaders should treat this as a validation point for whether the SOC can distinguish routine remote administration from suspicious post-login behavior on Windows systems where RDP is used.

Executive priority

Prioritize this as an operational resilience and incident-response readiness question: can the organization prove who remotely accessed Windows systems over RDP, from where, and what happened next? This matters for containment decisions, privileged access review, audit evidence, and lateral-movement risk. Because the ATT&CK object does not provide an official detection analytic, teams should use it as a coverage assessment driver rather than assume an out-of-the-box control exists.

Technical view

The supplied relationship says this detection strategy detects T1021.001 Remote Desktop Protocol, a lateral-movement technique on Windows where adversaries may use valid accounts to log into a computer via RDP and act as the logged-on user. SOC and detection teams should validate multi-event correlation around RDP logon evidence and subsequent user/session activity, especially where the account, source, destination, timing, or follow-on actions differ from expected administration patterns. Since the detection strategy has no official detection text and no platform listed on the strategy object itself, engineering should anchor validation to the related technique context: Windows RDP lateral movement.

Likely telemetry

  • Windows authentication and logon events related to RDP sessions
  • Remote Desktop Services or terminal services session evidence
  • Account, source host/IP, destination host, and timestamp context for remote logins
  • Post-logon process, command, or administrative activity where collected
  • Endpoint and SIEM correlation records linking logon events to later activity

Detection direction

  • Validate that RDP logins are not reviewed only as isolated authentication events; correlate them with post-access activity on the destination host.
  • Baseline expected remote administration patterns by account, source, destination, and time to reduce false positives from normal IT operations.
  • Pay attention to valid-account use, because the related technique explicitly notes adversaries may use valid accounts for RDP access.
  • Confirm telemetry continuity across identity, endpoint, and SIEM sources; gaps between logon records and endpoint activity will weaken this strategy.
  • Treat the lack of official ATT&CK detection text as a requirement for local analytic design, testing, and tuning rather than a complete prescribed rule.

Mitigation priorities

  • Inventory where RDP is enabled and where it is required for business operations.
  • Review access controls for accounts permitted to use RDP, especially privileged or administrative accounts.
  • Ensure logging is enabled and retained for RDP authentication, session activity, and relevant endpoint events.
  • Use segmentation, access governance, and identity controls to limit unnecessary remote desktop reachability and account misuse risk.
  • Test incident-response procedures for investigating an RDP session from login through post-access activity.
Analyst notes and limits

This take is based on the detection strategy metadata and its ATT&CK relationship to T1021.001 Remote Desktop Protocol. The most useful defensive interpretation is multi-event correlation: RDP login plus what the session does afterward. The object itself does not provide an official description, tactic, platform, or detection logic, so local environment knowledge is necessary to define normal administration and suspicious deviations.

The detection strategy record is sparse: no official description, no official detection text, no platforms, and no tactics are specified on the object. Windows, lateral movement, valid-account use, and RDP behavior are supported only through the related T1021.001 technique context. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1021.001 Remote Desktop Protocol Sub-technique This object detects Remote Desktop Protocol.
Relationship explorer

All related ATT&CK context

detects · Technique T1021.001: Remote Desktop Protocol Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1e655a7ff40a5705...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1e655a7ff40a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0327
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use