Challenges of Detecting RDP anomalies in a SOC

Oftentimes SOC Analysts face the challenge of tuning detection techniques. This might be due to updates in logging parameters or new patches that change the underlying log generated. Sometimes customers deploy older versions of products that are no longer supported by the vendor. It could also be that the existing detection rule deployed by the SOC needed improvement. The list goes on. Understandably, these issues might be due to lack of expertise, budget constraints, etc.

Independent of most of these scenarios, is RDP. It has been around ever since we remember. Building detections around RDP in a SOC environment is a bit more challenging than in a blue team environment. My goal in this article is to summarize how RDP works, how it is being detected currently (as far as a SOC analyst knows) and what could be done to improve it.

If we map RDP to the MITRE Framework, essentially, it can be used for initial access, lateral movement and data exfiltration. Almost every APT has used this tactic before.

To briefly go over RDP architecture, it is an extension of the Windows Terminal Server and shares the same underlying logic. The article does an excellent job of explaining how it works. (Image courtesy of Microsoft.)

INITIAL ACCESS:

For the Initial access, Brute forcing RDP is a simple and effective way for bad adversaries to gain access to the network. The pre-requisite, however, is to have a publicly exposed RDP service, typically listening on port 3389. Many users are aware of this and block this service on the perimeter firewall. However, some use cases require this port to be open.

When a user successfully authenticates using RDP from an external network, Microsoft triggers the security Event ID 4624 with logon type 10 . Upon a failed authentication attempt, we see Event ID 4625 with logon type 10. An important point to remember is that this stands for endpoint security logs.

Assuming we collect data from servers like ADs, with the advent of NLA from windows vista onwards, despite a failed or successful logon using RDP you would see a 4624/4625 type 3 alert. This makes it harder to distinguish between network logons and remote interactive logons.

The Microsoft ATP team did a research on 1000s of endpoint systems listening on port 3389 exposed to the internet. Almost every system had some level of scanning or Brute forcing attempt. Some 90% of cases exceeded 10 login failure attempts, with a median larger than 60. In addition, these unusual daily counts had high positive correlation with extreme counts in shorter time windows. These attacks lasted from days to weeks.

Let us observe additional windows security logs generated by failed and successful RDP logins. To observe this, I used a windows 10 virtual machine and the native windows 10 host to RDP into the VM. Note that I RDP as the administrator. Also, type 10 events will not trigger in this case because of reasons mentioned above.

Failed RDP Login:

Event 4776 The computer attempted to validate the credentials for an account.

Authentication Package:               MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: vagrant
Source Workstation:       DESKTOP-7JI65JU
Error Code:         0xC000006A

Event 4625 An account failed to log on.

Subject:
       Security ID:                         NULL SID
       Account Name:                 –
       Account
       Domain:                             
       Logon ID:                             0x0

Logon Type:                                               3

Account for Which Logon Failed:
        Security ID:                         NULL SID
        Account Name:                 vagrant
        Account Domain:                              DESKTOP-7JI65JU

Failure Information:
        Failure Reason:                 Unknown username or bad password
        Status:                                  0xC000006D
        Sub Status:                         0xC000006A

Process Information:
        Caller Process ID:              0x0
        Caller Process Name:      –

Network Information:
        Workstation Name:         DESKTOP-7JI65JU
        Source Network Address:             192.168.38.1
        Source Port:                       0

Detailed Authentication Information:
        Logon Process:                  NtLmSsp
        Authentication Package:               NTLM
        Transited Services:          –
        Package Name (NTLM only):        –
        Key Length:                        0

Successful Login in to Admin account using RDP.

 Event 4776 The computer attempted to validate the credentials for an account.

Authentication Package:       MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:         vagrant
Source Workstation:               DESKTOP-7JI65JU
Error Code: 0x0

Event 4672 Special privileges assigned to new logon.

Subject:
        Security ID:                         WIN10\vagrant
        Account Name:                 vagrant
        Account Domain:              WIN10
        Logon ID:                          0x312F92

Event 4624 An Account Successfully Logged on

Logon Information:

        Logon Type:                       3
        Restricted Admin Mode:               –
        Virtual Account:                                No
        Elevated Token:                Yes
        Impersonation Level:                             Impersonation

New Logon:
        Security ID:                         WIN10\vagrant
        Account Name:                 vagrant
        Account
        Domain:                              WIN10
        Logon ID:                             0x312F92
        Linked Logon ID:                               0x0

Network Information:
        Workstation Name:         DESKTOP-7JI65JU
        Source Network Address:             192.168.38.1
        Source Port:                       0

Detailed Authentication Information:
        Logon Process:                  NtLmSsp
        Authentication Package:               NTLM
        Transited Services:          –
        Package Name (NTLM only):        NTLM V2
        Key Length:                        128

Event 4627 – Group member information.

Logon Type:                                               3

New Logon:
        Security ID:                         WIN10\vagrant
        Account Name:                 vagrant
        Account Domain:              WIN10
        Logon ID:                             0x231A30
       Event in sequence:                 1 of 1

Group Membership: 
                        WIN10\None
                        Everyone
                        NT AUTHORITY\Local account and member of Administrators group …

Event 4688 – A new process has been created.

Process Information:
        New Process ID:                                0x984
        New Process Name:        C:\Windows\System32\smss.exe
        Token Elevation Type:    %%1936
        Mandatory Label:                             Mandatory Label\System Mandatory Level
        Creator Process ID:          0x14c
        Creator Process Name:  C:\Windows\System32\smss.exe
        Process Command Line: \SystemRoot\System32\smss.exe 000000e0 00000084

Event 4688 – A new process has been created
Process Information:
        New Process ID:                                0xfe4
        New Process Name:        C:\Windows\System32\csrss.exe
        Token Elevation Type:    %%1936
        Mandatory Label:                             Mandatory Label\System Mandatory Level
        Creator Process ID:          0x984
        Creator Process Name:  C:\Windows\System32\smss.exe
        Process Command Line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Event 4688 – A new process has been created

Process Information:
        New Process ID:                                0x49c
        New Process Name:        C:\Windows\System32\LogonUI.exe
        Token Elevation Type:    %%1936
        Mandatory Label:                             Mandatory Label\System Mandatory Level
        Creator Process ID:          0xde0
        Creator Process Name:  C:\Windows\System32\winlogon.exe
        Process Command Line: “LogonUI.exe” /flags:0x0 /state0:0xa38e9855 /state1:0x41c64e6d

smss.exe, csrss.exe and winlogon.exe are system level processes that get triggered when RDP is called and usually will generate high amounts of noise if included in the detection. In conclusion, The first prevention technique will always be to disable RDP over the network. There are very few use cases to enable this. However, incase the RDP port is listening, what we could use to detect initial access failures and successful logins are:

Count of Login Failures.
more than 10 Event ID 4625 with login type filtered to 3 or 10 depending on the source of the logs.

Failure Reason
Event ID 4625 logon type + Failure reason (%%2308, %%2312, %%2313)

Eliminating usual logins
If source IP is known, it can be eliminated from being processed.

Count of Source IP
If source remains same and exceeds 10 login failures.

Credential Validation followed by successful login from unknown IP
4776 followed by 4624 from unknown IP address.

Perimeter firewall
Inbound Port 3389 monitoring on Perimeter firewall. This is purely for co relation as this is going to generate a lot of noise.

While I could not cover everything, I came across certain articles that might be interesting read:

  • Palo Alto’s very detailed article on EsteemAudit an RDP vulnerability.
  • FireEye’s article on RDP Tunneling using plink.
  • RDP Events Triggered by alternative log source.

Lateral Movement

Post exploitation, the adversary is likely going to try and move around the network. Using RDP for lateral movement is again, simple and effective. NetFlow logging is a great tool to detect RDP based lateral movement attempts. While ‘netflow’ is proprietary to Cisco, other vendors have similar implementations like qflow, azureflow etc. etc.

So, what are the fields that we get in NetFlow traffic? Many. But for the purposes of detecting RDP anomalies, we need flow records for source and destination addresses and ports, tcp flag values, number of bytes and number of packets.

Observe the table below from a research paper on RDP authentication flows on a Windows 7 client.

According to the research, each authentication process was completed in a single flow. (A single flow constitutes the bidirectional ‘flow’ of packet. Think ‘A to B’ and ‘B to A’)

The first two flows are attempted authentications. The next flow record is a session cancelled just after successful authentication and the last flow record is the usage of RDP after successful authentication. The increase in bytes and packets are indicative of this change. 
Furthermore, observe the two tables below. The first is the worm Morto that uses RDP to move laterally and the second is a Brute forcing attempt using Ncrack. We see similar patterns to a legitimate authentication attempt. Both images are courtesy of research paper mentioned above.

Note that during practical detections using NetFlow, only one direction of the flow is considered to avoid confusion. In this case, we would want to look at the flow from the bad adversary to the victim i.e. From A to B. With that in mind, we want to be looking at the following:

  • For authentication attempts, the source address where destination Port is 3389 and byte size less than 10,000 bytes
  • For a successful authentication, out bytes greater than 10,000 will indicate data transfer.
  • A high number failed 4625 Event IDs can be correlated with entries for port 3389 in Netflow logs.

Finally, as far as data Exfiltration using RDP is concerned, detecting out bytes over destination port 3389 in the firewall or NetFlow logs can be a use case. However, by policy, data transfer over RDP should be disabled. This article does a good job of enabling it.

Leave a Comment

Your email address will not be published. Required fields are marked *