Remote Desktop Detection
Protection Module: RemoteDesktop
Detects if the application is running inside a remote desktop or remote access session.
Available for:
- Desktop Applications (Windows, Linux, macOS)
- Server Applications
How It Works
Remote Desktop Detection identifies remote access sessions through system APIs and session characteristics.
Detection Methods:
- Session Type Analysis - Identifies RDP session indicators
- Process Detection - Detects remote access tool processes
- Display Driver Analysis - Identifies virtual display drivers
- Network Connection Patterns - Detects remote access traffic
- Environment Variables - Checks session-specific variables
Detected Tools:
- Microsoft Remote Desktop (RDP)
- VNC (TightVNC, RealVNC, UltraVNC)
- TeamViewer
- AnyDesk
- Chrome Remote Desktop
- Remote Assistance
- LogMeIn
- Splashtop
Configuration
JSON
{
"protections": {
"RemoteDesktop": {
"enabled": true,
"action": "log",
"intervalMs": 120000
}
}
}{
"protections": {
"RemoteDesktop": {
"enabled": true,
"action": "log",
"intervalMs": 120000
}
}
}Code-Based Configuration
C#
await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.RemoteDesktop, ActionType.Log);
});await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.RemoteDesktop, ActionType.Log);
});Advanced Configuration
JSON
{
"protections": {
"RemoteDesktop": {
"enabled": true,
"action": "custom",
"intervalMs": 120000,
"config": {
"detectRdp": true,
"detectVnc": true,
"detectThirdParty": true,
"allowedTools": []
}
}
}
}{
"protections": {
"RemoteDesktop": {
"enabled": true,
"action": "custom",
"intervalMs": 120000,
"config": {
"detectRdp": true,
"detectVnc": true,
"detectThirdParty": true,
"allowedTools": []
}
}
}
}Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Log | Record remote session | Analytics, monitoring |
| Close | Terminate application | High-security apps |
| Custom | Execute custom logic | User warnings, restrictions |
Configuration Parameters
| Parameter | Description | Default |
|---|---|---|
detectRdp | Detect Microsoft RDP sessions | true |
detectVnc | Detect VNC connections | true |
detectThirdParty | Detect TeamViewer, AnyDesk, etc. | true |
allowedTools | Whitelist of allowed tools | [] |
When to Use
Recommended for:
- DRM-Protected Software - Prevent screen capture via remote tools
- Financial Applications - Detect suspicious remote access
- Exam/Testing Software - Prevent remote assistance during tests
- Licensing Enforcement - Different license for remote/local use
- Security Monitoring - Track remote access patterns
Not recommended for:
- Server applications (legitimate remote admin)
- Enterprise apps (common to use RDP)
- Apps designed for remote access
Code Examples
Basic Remote Session Detection
C#
config.RegisterCustomAction("remote-session-handler", async (threat) =>
{
var sessionType = threat.Metadata["sessionType"]?.ToString();
var toolName = threat.Metadata["toolName"]?.ToString();
await LogSecurityEventAsync("remote_desktop_detected", new
{
SessionType = sessionType,
Tool = toolName,
Timestamp = DateTime.UtcNow,
UserName = Environment.UserName,
MachineName = Environment.MachineName
});
await ShowWarningAsync(
"Remote Session Detected",
$"This application is running in a {sessionType} session ({toolName}). " +
"Some features may be restricted."
);
});config.RegisterCustomAction("remote-session-handler", async (threat) =>
{
var sessionType = threat.Metadata["sessionType"]?.ToString();
var toolName = threat.Metadata["toolName"]?.ToString();
await LogSecurityEventAsync("remote_desktop_detected", new
{
SessionType = sessionType,
Tool = toolName,
Timestamp = DateTime.UtcNow,
UserName = Environment.UserName,
MachineName = Environment.MachineName
});
await ShowWarningAsync(
"Remote Session Detected",
$"This application is running in a {sessionType} session ({toolName}). " +
"Some features may be restricted."
);
});DRM Content Protection
C#
config.RegisterCustomAction("drm-remote-check", async (threat) =>
{
var isRemote = threat.Metadata["isRemote"] as bool? ?? false;
var sessionType = threat.Metadata["sessionType"]?.ToString();
if (isRemote)
{
await LogSecurityEventAsync("drm_remote_access_blocked");
await ShowMessageAsync(
"Remote Access Not Allowed",
"This application cannot run in a remote desktop session due to content protection requirements."
);
Environment.Exit(-1);
}
});config.RegisterCustomAction("drm-remote-check", async (threat) =>
{
var isRemote = threat.Metadata["isRemote"] as bool? ?? false;
var sessionType = threat.Metadata["sessionType"]?.ToString();
if (isRemote)
{
await LogSecurityEventAsync("drm_remote_access_blocked");
await ShowMessageAsync(
"Remote Access Not Allowed",
"This application cannot run in a remote desktop session due to content protection requirements."
);
Environment.Exit(-1);
}
});Feature Restriction
C#
config.RegisterCustomAction("remote-feature-restriction", async (threat) =>
{
var isRemote = threat.Metadata["isRemote"] as bool? ?? false;
if (isRemote)
{
// Disable sensitive features
AppConfig.AllowScreenCapture = false;
AppConfig.AllowPrinting = false;
AppConfig.AllowExport = false;
await ShowInfoAsync(
"Remote Session",
"Some features are disabled when running remotely for security."
);
}
});config.RegisterCustomAction("remote-feature-restriction", async (threat) =>
{
var isRemote = threat.Metadata["isRemote"] as bool? ?? false;
if (isRemote)
{
// Disable sensitive features
AppConfig.AllowScreenCapture = false;
AppConfig.AllowPrinting = false;
AppConfig.AllowExport = false;
await ShowInfoAsync(
"Remote Session",
"Some features are disabled when running remotely for security."
);
}
});Exam/Testing Mode
C#
config.RegisterCustomAction("exam-remote-check", async (threat) =>
{
var isRemote = threat.Metadata["isRemote"] as bool? ?? false;
var toolName = threat.Metadata["toolName"]?.ToString();
if (isRemote)
{
// Report violation to exam server
await ExamApiClient.ReportViolationAsync(new
{
StudentId = CurrentStudent.Id,
ViolationType = "RemoteAccess",
Tool = toolName,
Timestamp = DateTime.UtcNow
});
await ShowMessageAsync(
"Exam Violation",
"Remote desktop connections are not allowed during exams. " +
"This incident has been reported."
);
// Lock exam
await ExamService.LockExamAsync();
Environment.Exit(-1);
}
});config.RegisterCustomAction("exam-remote-check", async (threat) =>
{
var isRemote = threat.Metadata["isRemote"] as bool? ?? false;
var toolName = threat.Metadata["toolName"]?.ToString();
if (isRemote)
{
// Report violation to exam server
await ExamApiClient.ReportViolationAsync(new
{
StudentId = CurrentStudent.Id,
ViolationType = "RemoteAccess",
Tool = toolName,
Timestamp = DateTime.UtcNow
});
await ShowMessageAsync(
"Exam Violation",
"Remote desktop connections are not allowed during exams. " +
"This incident has been reported."
);
// Lock exam
await ExamService.LockExamAsync();
Environment.Exit(-1);
}
});Detection Metadata
Windows RDP Session
JSON
{
"isRemote": true,
"sessionType": "RDP",
"toolName": "Microsoft Remote Desktop",
"sessionId": 2,
"clientName": "DESKTOP-ABC123",
"clientAddress": "192.168.1.100"
}{
"isRemote": true,
"sessionType": "RDP",
"toolName": "Microsoft Remote Desktop",
"sessionId": 2,
"clientName": "DESKTOP-ABC123",
"clientAddress": "192.168.1.100"
}VNC Session
JSON
{
"isRemote": true,
"sessionType": "VNC",
"toolName": "TightVNC",
"processId": 5678,
"processPath": "C:\\Program Files\\TightVNC\\tvnserver.exe"
}{
"isRemote": true,
"sessionType": "VNC",
"toolName": "TightVNC",
"processId": 5678,
"processPath": "C:\\Program Files\\TightVNC\\tvnserver.exe"
}TeamViewer
JSON
{
"isRemote": true,
"sessionType": "ThirdParty",
"toolName": "TeamViewer",
"processId": 9012,
"version": "15.42.7"
}{
"isRemote": true,
"sessionType": "ThirdParty",
"toolName": "TeamViewer",
"processId": 9012,
"version": "15.42.7"
}Platform-Specific Detection
Windows
C#
// Detect RDP using Windows API
var sessionId = Process.GetCurrentProcess().SessionId;
var isRdp = GetSystemMetrics(SM_REMOTESESSION) != 0;
// Check for VNC processes
var vncProcesses = new[] { "tvnserver", "winvnc", "vncserver" };
var isVnc = Process.GetProcesses()
.Any(p => vncProcesses.Contains(p.ProcessName.ToLower()));// Detect RDP using Windows API
var sessionId = Process.GetCurrentProcess().SessionId;
var isRdp = GetSystemMetrics(SM_REMOTESESSION) != 0;
// Check for VNC processes
var vncProcesses = new[] { "tvnserver", "winvnc", "vncserver" };
var isVnc = Process.GetProcesses()
.Any(p => vncProcesses.Contains(p.ProcessName.ToLower()));Linux
C#
// Check for X11 remote session
var display = Environment.GetEnvironmentVariable("DISPLAY");
var sshConnection = Environment.GetEnvironmentVariable("SSH_CONNECTION");
var isRemote = !string.IsNullOrEmpty(sshConnection) ||
(display?.Contains(":") == true && display != ":0");// Check for X11 remote session
var display = Environment.GetEnvironmentVariable("DISPLAY");
var sshConnection = Environment.GetEnvironmentVariable("SSH_CONNECTION");
var isRemote = !string.IsNullOrEmpty(sshConnection) ||
(display?.Contains(":") == true && display != ":0");macOS
C#
// Detect Screen Sharing (VNC)
var processes = Process.GetProcesses();
var isScreenSharing = processes.Any(p =>
p.ProcessName.Contains("screensharingd") ||
p.ProcessName.Contains("ARDAgent")
);// Detect Screen Sharing (VNC)
var processes = Process.GetProcesses();
var isScreenSharing = processes.Any(p =>
p.ProcessName.Contains("screensharingd") ||
p.ProcessName.Contains("ARDAgent")
);Platform Compatibility
| Platform | Support | Detection Methods |
|---|---|---|
| Windows | ✔ | RDP API, process detection, session info |
| Linux | ✔ | SSH detection, X11 forwarding, VNC |
| macOS | ✔ | Screen Sharing, ARD detection |
| RDP | ✔ | Full support |
| VNC | ✔ | Process and driver detection |
| TeamViewer | ✔ | Process detection |
| AnyDesk | ✔ | Process detection |
Best Practices
- Use Log Action for Analytics
C#
// Most apps should just track remote usage
action: ActionType.Log// Most apps should just track remote usage
action: ActionType.Log- Whitelist Corporate Tools
JSON
{
"config": {
"allowedTools": ["Microsoft Remote Desktop", "Corporate VPN"]
}
}{
"config": {
"allowedTools": ["Microsoft Remote Desktop", "Corporate VPN"]
}
}- Feature Degradation vs Blocking
C#
// Disable features instead of blocking entirely
if (isRemote)
{
DisableSensitiveFeatures();
}// Disable features instead of blocking entirely
if (isRemote)
{
DisableSensitiveFeatures();
}- User Notification
C#
// Inform user about restrictions
await ShowInfoAsync("Running remotely - some features disabled");// Inform user about restrictions
await ShowInfoAsync("Running remotely - some features disabled");Threat Detection Details
JSON
{
"threatId": "RDP-2025-12-28-5678",
"description": "Remote desktop session detected",
"moduleType": "RemoteDesktop",
"detectedAt": "2025-12-28T21:00:00Z",
"confidence": 0.95,
"metadata": {
"isRemote": true,
"sessionType": "RDP",
"toolName": "Microsoft Remote Desktop",
"sessionId": 2,
"clientName": "WORKSTATION-XYZ",
"clientAddress": "192.168.1.150",
"userName": "john.doe",
"sessionStartTime": "2025-12-28T20:45:00Z"
}
}{
"threatId": "RDP-2025-12-28-5678",
"description": "Remote desktop session detected",
"moduleType": "RemoteDesktop",
"detectedAt": "2025-12-28T21:00:00Z",
"confidence": 0.95,
"metadata": {
"isRemote": true,
"sessionType": "RDP",
"toolName": "Microsoft Remote Desktop",
"sessionId": 2,
"clientName": "WORKSTATION-XYZ",
"clientAddress": "192.168.1.150",
"userName": "john.doe",
"sessionStartTime": "2025-12-28T20:45:00Z"
}
}Related Protections
Actions
Configure responses
Custom Actions
Create handlers