Skip to content

Hide Navigation Hide TOC

New Remote Desktop Connection Initiated Via Mstsc.EXE (954f0af7-62dd-418f-b3df-a84bc2c7a774)

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Cluster A Galaxy A Cluster B Galaxy B Level
New Remote Desktop Connection Initiated Via Mstsc.EXE (954f0af7-62dd-418f-b3df-a84bc2c7a774) Sigma-Rules Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2