ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT119
  • Created: 29th April 2025
  • Updated: 29th April 2025
  • Platform: Windows
  • Contributor: The ITM Team

SystemPropertiesRemote.exe Execution

Monitor and alert when the SystemPropertiesRemote.exe binary is executed, particularly by non-administrative users or accounts without prior history of remote access configuration. This executable launches the Remote tab within System Properties, a primary interface for enabling Remote Desktop or Remote Assistance.

 

Detection Methods

  • Enable process creation auditing (Windows Event ID 4688) to capture execution events.
    Deploy EDR or SIEM rules to specifically alert on SystemPropertiesRemote.exe launches.
    Flag executions by users outside of IT, system administration, or authorized privileged groups.
    Correlate execution events with time-of-day, user role, and subsequent system configuration changes.

 

Indicators

  • Execution of SystemPropertiesRemote.exe by non-privileged users.
    Executions occurring outside standard business hours or approved change windows.
    Execution activity associated with further remote access configuration changes or registry modifications.

Sections

ID Name Description
PR026Remote Desktop (RDP) Access on Windows Systems

The subject initiates configuration changes to enable Remote Desktop Protocol (RDP) or Remote Assistance on a Windows system, typically through the System Properties dialog, registry modifications, or local group policy. This behavior may indicate preparatory actions to grant unauthorized remote access to the endpoint, whether to an external actor, co-conspirator, or secondary account.

 

Characteristics

Subject opens the Remote tab within the System Properties dialog (SystemPropertiesRemote.exe) and enables:

  • Remote Assistance
  • Remote Desktop
  •  

May configure additional RDP-related settings such as:

  • Allowing connections from any version of RDP clients (less secure)
  • Adding specific users to the Remote Desktop Users group
  • Modifying Group Policy to allow RDP access
  •  

Often accompanied by:

  • Firewall rule changes to allow inbound RDP (TCP 3389)
  • Creation of local accounts or service accounts with RDP permissions
  • Disabling sleep, lock, or idle timeout settings to keep the system continuously accessible

 

In some cases, used to stage access prior to file exfiltration, remote control handoff, or backdoor persistence.

 

Example Scenario

A subject accesses the Remote tab via SystemPropertiesRemote.exe and enables Remote Desktop, selecting the “Allow connections from computers running any version of Remote Desktop” option. They add a personal email-based Microsoft account to the Remote Desktop Users group. No help desk ticket or change request is submitted. Over the following days, successful RDP logins are observed from an IP address outside of corporate VPN boundaries, correlating with a data transfer spike.