Network Access Control (NAC)

The subject installs and uses an unapproved VPN client, potentially violating organizational policy. By using a VPN service not controlled by the organization, the subject can bypass security controls, reducing the security team’s visibility into network activity conducted through the unauthorized VPN. This could lead to significant security risks, as monitoring and detection mechanisms are circumvented.

The subject performs work-related tasks on an unauthorized, non-organization-owned device, likely violating organizational policy. Without the organization’s security controls in place, this device could be used to bypass established safeguards. Moreover, using a personal device increases the risk of sensitive data being retained or exposed, particularly after the subject is offboarded, as the organization has no visibility or control over information stored outside its managed systems.

An organization has a Bring Your Own Device (BYOD) policy, where a subject is authorized to connect personally owned devices—such as smartphones, tablets, or laptops—to organizational resources. These resources include corporate networks, cloud applications, and on-premises systems that may handle confidential and/or sensitive information.

The use of personal devices in a corporate environment introduces several risks, as these devices may lack the same level of security controls and monitoring as organization-owned equipment.

The subject initiates configuration changes to enable Remote Desktop Protocol (RDP) or Remote Assistance on a Windows system, typically through the System Properties dialog, registry modifications, or local group policy. This behavior may indicate preparatory actions to grant unauthorized remote access to the endpoint, whether to an external actor, co-conspirator, or secondary account.

Characteristics

Subject opens the Remote tab within the System Properties dialog (SystemPropertiesRemote.exe) and enables:

• Remote Assistance
• Remote Desktop
•  

May configure additional RDP-related settings such as:

• Allowing connections from any version of RDP clients (less secure)
• Adding specific users to the Remote Desktop Users group
• Modifying Group Policy to allow RDP access
•  

Often accompanied by:

• Firewall rule changes to allow inbound RDP (TCP 3389)
• Creation of local accounts or service accounts with RDP permissions
• Disabling sleep, lock, or idle timeout settings to keep the system continuously accessible

In some cases, used to stage access prior to file exfiltration, remote control handoff, or backdoor persistence.

Example Scenario

A subject accesses the Remote tab via SystemPropertiesRemote.exe and enables Remote Desktop, selecting the “Allow connections from computers running any version of Remote Desktop” option. They add a personal email-based Microsoft account to the Remote Desktop Users group. No help desk ticket or change request is submitted. Over the following days, successful RDP logins are observed from an IP address outside of corporate VPN boundaries, correlating with a data transfer spike.

A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services.