Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Lateral Movement/ T1021.001

T1021.001Remote Desktop Protocol

T1021.001 — Remote Desktop Protocol is a MITRE ATT&CK technique in the Lateral Movement tactic. Clankerusecase tracks 20 detection use cases covering it and 14 threat-intel articles citing it.

Lateral Movement
View on the matrix → Filter Detection Library MITRE official spec ↗
20Use cases
14Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1021 · Remote Services

Use cases covering this technique (20)

Allow Inbound Traffic By Firewall Rule Registry ESCU actions · alerting P Allow Inbound Traffic In Firewall Rule ESCU actions · alerting P Remote Desktop Process Running On System ESCU actions · hunting P Windows Default RDP File Creation By Non MSTSC Process ESCU actions · hunting P Windows Default Rdp File Unhidden ESCU actions · hunting P Windows MSTSC RDP Commandline ESCU actions · hunting P Windows Process Execution From RDP Share ESCU actions · hunting P Windows RDP Bitmap Cache File Creation ESCU actions · hunting P Windows RDP Client Launched with Admin Session ESCU actions · hunting P Windows RDP File Execution ESCU actions · alerting P Windows RDP Login Session Was Established ESCU actions · hunting P Windows RDP Server Registry Entry Created ESCU actions · hunting P Windows Remote Service Rdpwinst Tool Execution ESCU actions · alerting P Windows Remote Services Allow Rdp In Firewall ESCU actions · hunting P Windows Remote Services Allow Remote Assistance ESCU actions · hunting P Windows Remote Services Rdp Enable ESCU actions · alerting P Remote Desktop Network Traffic ESCU actions · hunting P Windows Default RDP File Creation ESCU actions · hunting P [LLM] mstsc.exe child process after outbound RDP to external server (RDC heap overflow) Bespoke exploit · alerting DSΣPDDCS [LLM] termsrv.dll patched (multi-RDP enabling) - takeown + binary write + TermService restart Bespoke install · alerting DSΣPDDCS

Articles citing this technique (14)

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
crit Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities art-76
high Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer art-212
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
crit Webworm: New burrowing techniques art-240
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325
crit CISA KEV: CVE-2026-41940 — WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability art-344
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
crit Gotta fly: Lazarus targets the UAV sector art-734
crit CISA KEV: CVE-2025-5777 — Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability art-848
crit CISA KEV: CVE-2025-6543 — Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability art-858
high What you should know about PHP code security art-1160