MITRE ATT&CK Technique
Description
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-11T18:23:26.059Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) to log '
'into a computer using the Remote Desktop Protocol (RDP). The '
'adversary may then perform actions as the logged-on user.\n'
'\n'
'Remote desktop is a common feature in operating systems. It '
'allows a user to log into an interactive session with a '
'system desktop graphical user interface on a remote system. '
'Microsoft refers to its implementation of the Remote Desktop '
'Protocol (RDP) as Remote Desktop Services (RDS).(Citation: '
'TechNet Remote Desktop Services) \n'
'\n'
'Adversaries may connect to a remote system over RDP/RDS to '
'expand access if the service is enabled and allows access to '
'accounts with known credentials. Adversaries will likely use '
'Credential Access techniques to acquire credentials to use '
'with RDP. Adversaries may also use RDP in conjunction with '
'the [Accessibility '
'Features](https://attack.mitre.org/techniques/T1546/008) or '
'[Terminal Services '
'DLL](https://attack.mitre.org/techniques/T1505/005) for '
'Persistence.(Citation: Alperovitch Malware)',
'external_references': [{'external_id': 'T1021.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1021/001'},
{'description': 'Alperovitch, D. (2014, October 31). '
'Malware-Free Intrusions. Retrieved '
'November 17, 2024.',
'source_name': 'Alperovitch Malware',
'url': 'https://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/'},
{'description': 'Microsoft. (n.d.). Remote Desktop '
'Services. Retrieved June 1, 2016.',
'source_name': 'TechNet Remote Desktop Services',
'url': 'https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx'}],
'id': 'attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'}],
'modified': '2025-10-24T17:49:33.524Z',
'name': 'Remote Desktop Protocol',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Matthew Demaske, Adaptforward'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.4'}