Preparation
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Mover
Network Scanning
On-Screen Data Collection
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
VPN Usage
- ID: PR026.001
- Created: 07th May 2025
- Updated: 23rd October 2025
- Platform: Windows
- MITRE ATT&CK®: T1021.001
- Contributor: The ITM Team
Remote Desktop (RDP) Access on Windows Systems
The subject initiates configuration changes to enable Remote Desktop Protocol (RDP) or Remote Assistance on a Windows system, typically through the System Properties dialog, registry modifications, or local group policy. This behavior may indicate preparatory actions to grant unauthorized remote access to the endpoint, whether to an external actor, co-conspirator, or secondary account.
Characteristics
Subject opens the Remote tab within the System Properties dialog (SystemPropertiesRemote.exe) and enables:
- Remote Assistance
Remote Desktop
May configure additional RDP-related settings such as:
- Allowing connections from any version of RDP clients (less secure)
Adding specific users to theRemote Desktop Users group
Modifying Group Policy to allow RDP access
Often accompanied by:
- Firewall rule changes to allow inbound RDP (
TCP 3389)
Creation of local accounts or service accounts with RDP permissions
Disabling sleep, lock, or idle timeout settings to keep the system continuously accessible
In some cases, used to stage access prior to file exfiltration, remote control handoff, or backdoor persistence.
Example Scenario
A subject accesses the Remote tab via SystemPropertiesRemote.exe and enables Remote Desktop, selecting the “Allow connections from computers running any version of Remote Desktop” option. They add a personal email-based Microsoft account to the Remote Desktop Users group. No help desk ticket or change request is submitted. Over the following days, successful RDP logins are observed from an IP address outside of corporate VPN boundaries, correlating with a data transfer spike.
Preventions (6)
Detections (6)
MITRE ATT&CK® Mapping (1)
ATT&CK Enterprise Matrix Version 18.1