An uncommon RDP session was established

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-03-15
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Enhanced RDP Analytics

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Remote Desktop Protocol (T1021.001)

Severity

Informational

Description

An RDP session was established with uncommon parameters.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

  • Investigate the source and destination of the RDP communication.
  • Check if this communication is legitimate and expected.
  • Analyze the user and process that initiated the RDP connection.

Variations

An uncommon RDP session was established from a Suspicious Autonomous System (AS)

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Remote Desktop Protocol (T1021.001)

Severity

Medium

Description

An RDP session was established with uncommon parameters.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

  • Investigate the source and destination of the RDP communication.
  • Check if this communication is legitimate and expected.
  • Analyze the user and process that initiated the RDP connection.


An uncommon RDP session was established originating from a chained RDP session which is also from a rare subnet

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Remote Desktop Protocol (T1021.001)

Severity

Low

Description

An RDP session was established with uncommon parameters. The connection appears to originate from an endpoint that itself received an RDP connection, suggesting a chained session.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

  • Investigate the source and destination of the RDP communication.
  • Check if this communication is legitimate and expected.
  • Analyze the user and process that initiated the RDP connection.


An uncommon RDP session was established between subnets with no prior communication

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Remote Desktop Protocol (T1021.001)

Severity

Low

Description

An RDP session was established with uncommon parameters. The source and destination subnets have not been observed communicating with each other previously.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

  • Investigate the source and destination of the RDP communication.
  • Check if this communication is legitimate and expected.
  • Analyze the user and process that initiated the RDP connection.


An uncommon RDP session was established involving subnets with no prior RDP history

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Remote Desktop Protocol (T1021.001)

Severity

Low

Description

An RDP session was established with uncommon parameters. Neither the source nor the destination subnet has been observed participating in RDP sessions previously.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

  • Investigate the source and destination of the RDP communication.
  • Check if this communication is legitimate and expected.
  • Analyze the user and process that initiated the RDP connection.


An uncommon RDP session was established involving a destination subnet which rarely receives incoming RDP sessions

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Remote Desktop Protocol (T1021.001)

Severity

Low

Description

An RDP session was established with uncommon parameters. The destination subnet is rarely involved in RDP activity.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

  • Investigate the source and destination of the RDP communication.
  • Check if this communication is legitimate and expected.
  • Analyze the user and process that initiated the RDP connection.