SlideShare a Scribd company logo

DFIR Training: RDP Triage

Download as PPTX, PDF
Christopher Gerritz
Christopher Gerritz

This document provides an overview and summary of a training on analyzing malicious RDP usage. It begins with an introduction to the common use of RDP in attacks. It then covers RDP protocols, vulnerabilities, and common attack vectors like exploiting pre-authentication vulnerabilities. The document discusses analyzing RDP event logs and connections to detect malicious activity. It concludes with recommendations for securing RDP, such as enabling Network Level Authentication, using an RDP gateway, and implementing two-factor authentication.

Related slideshows

Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
1 of 21
DFIR Training Remote Desktop Protocol (RDP) Triage 4/15/2020
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Overview Situation: • Network is compromised but they didn’t leave behind a RAT (malware used Remote Access) • Malware of Choice: Exposed or Tunneled RDP Today’s Training: • RDP Protocol & Attack Vectors • Host-level Triage of RDP – Event Logs – Sysmon / EDR • Recommendations for Securing RDP
Remote Desktop Protocol (RDP)
DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Source: https://www.awingu.com/demystifying-rdp-understanding-rdp-vdi-rds/
DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Description: Default remote session protocol for all Microsoft Windows versions. Used extensively in organizations for server management, remote desktop, VDI, and cloud management. Protocol Implementation Ports OS Meant For RDP TCP/UDP 3389 Windows Clients (XP+) Internal (insecure) RD Gateway (HTTPS/SSL) TCP 443 UDP 3391 (Streaming) Windows Server 2k8R2+ External (securable) Services Using RDP Description Virtual Desktop (VDI) Remote Dedicated VM Remote Desktop Services (RDS) Remote Shared VM Hyper-V / Azure GUI Emulation
RDP Attack Vectors
DFIR Training - Gerritz (Infocyte) RDP Attacks Dominate Coveware (IR Company) reported that the 1Q of 2019: • 63.5 percent of their ransomware cases relied on RDP as an entry vector. • Pre-BlueKeep Millions of exposed RDP ports on the web (Shodan) Source: https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases
DFIR Training - Gerritz (Infocyte) RDP Vulnerabilities Description: Plenty of RCE vulnerabilities in RDP (most of these target channels on TCP/UDP 3389 or UDP 3391) Name CVE Scope Description BlueKeep CVE-2019-0708 Remote / Pre- Auth Used to execute remote code on RDP Servers on older OS servers/clients. DejaBlue CVE-2019-1181, 1182, 1222, etc. Remote / Pre- Auth BlueKeep-style vulns for modern OS’s RDP Path Traversal CVE 2019-0887 Lateral Turns compromised RDP Server into watering hole (pwn connecting clients) BlueGate CVE-2020-0609 CVE-2020-0610 Remote / Pre- Auth Used to DoS or execute remote code on RD Gateways listening on UDP 3391
DFIR Training - Gerritz (Infocyte) RDP Attacks RCE Vulns Lateral Movement Session Hijack RDP as entry vector via Vuln Weak Auth RDP as entry vector via weak passwords (most popular) Credentialed RDP within Network Enable for non-malware Persistence RDP Watering Hole attack via Path Traversal (CVE 2019-0887) (pwn connecting clients to elevate to DA) Hijack session from compromised home office to corporate network (Priv Escalation)
Triaging Malicious RDP Usage
DFIR Training - Gerritz (Infocyte) RDP Event Logs - Connections Network Connection → Authentication → Logon → Reconnect → Activity → Logoff Log: Microsoft-Windows-Terminal-Services- RemoteConnectionManager/Operational Id 1149 (Connection) User Network Authentication (Logon screen displayed) Includes Source IP Usefulness: Low (Can be noisy) Associated to Id 131 (Connection Accepted) and Id 132 (Channel Connected) Log: Security Id 4624 (Authentication) Logon (Type 10) Includes Source IP, UserSID and LoginID Usefulness: High -- Type 3 is an additional event for NLA- enabled session Type 7 for Reconnects (Associated to Id 21) Log: Security Id 4778 (Authentication) Reconnect (Type 10) Includes Source IP + LoginID Usefulness: Medium (unreliable) -- New LoginID is sometimes generated (need it for proces_create correlation) (Associated to Id 25)
DFIR Training - Gerritz (Infocyte) RDP Event Logs - Sessions Network Connection → Authentication → Session → Reconnects → Activity → Logoff Log: Microsoft-Windows-TerminalServices- LocalSessionManager/Operational Id 21, 24, 25 (Session Logon) RDP Session Created (21), Disconnected (24), Reconnected (25) Includes Source IP & SessionID Usefulness: Medium (timelining)
DFIR Training - Gerritz (Infocyte) RDP Other Important Events Log: Security or Sysmon/EDR Id 4688 (Sysmon Id 1) Process Create Includes LogonId and UserSID Usefulness: High when correlated with 4624 Correlate with LogonId & SID Other Important Events to Consider: Startup folder - File Creation Events (Sysmon Id 11) Network Connection → Authentication → Session → Reconnect → Activity → Logoff
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts EventLog Parsers • Get-SysmonEvents https://gist.github.com/singlethreaded/df6d810a95ca8fd6874be26e06a73320 • ConvertFrom-WinEvent https://gist.github.com/singlethreaded/77f873ecaf6318750e270610ae6b35bd • RDP Triage Script https://gist.github.com/singlethreaded/c730e559f868f5380d7d5ccd2a56928e • RDP Triage Infocyte Extension https://github.com/Infocyte/extensions/blob/master/official/collection/rdp_triage.lua
Recommendations
DFIR Training - Gerritz (Infocyte) Securing Publicly Available Services Every IP on the internet is being bombarded by malicious requests... Required Security Features for globally accessible services: • SSL Certificates for Authentication (Verifies endpoint) • Transport Encryption (i.e. HTTPS/TLS) – Note: RDP is already encrypted so HTTPS wrapper is mostly redundant • Brute Force Mitigation (i.e. IP Auto-blocker on failed auth or malformed requests) • Multi-Factor Authentication • DDoS protection (i.e. Cloudflare) [Recommended]
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts RDP Can Be Secured RDP can be an acceptable and secure remoting solution if configured correctly... Recommendations: • Enforce Network Level Authentication (DOUBLEPULSAR no like) enabled clients • Use an RDP Gateway Solution (RD Gateway Role on Windows Server) – Requires a valid SSL Certificate – DO NOT self-sign certificates (unless you hate your users and/or your helpdesk) • Enforce Two-Factor Authentication (2FA) • IP Restrict RD Gateway or restrict to VPN if you can’t enable 2FA Guide: ttps://turbofuture.com/computers/How-To-Setup-a-Remote-Desktop-Gateway-Windows-Server-2016 Azure MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Network Level Authentication (NLA) NLA completes user authentication before establishing the RD connection (before logon screen appears). Not foolproof but many pre-auth vulns are rendered useless Configuration: Easy • Requires Windows Hosts AND Clients with RDC Version 6.0+ (Windows Vista+) – Some Linux & OSX 3rd party clients have support – Default on Windows 10 / Server 2012R2+ https://social.technet.microsoft.com/wiki/contents/articles/5490.configure-network-level-authentication-for- remote-desktop-services-connections.aspx
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Securing RDP - Reality “A service is only as secure as it is convenient to do so” - Overheard at a con Reality Check: • Fully securing RDP is a royal pain for most SMBs – RDP Gateway + NPS Policy Server + RADIUS? – Purchase an SSL Certificate? • Can we all just block RDP? The trend is against us... Thanks, dude…
DFIR Training - Gerritz (Infocyte) https://duo.com/docs/rdgateway Commercial Solutions Dou has one of the easiest to implement RD Gateway solutions I’ve seen: • Automatic 2FA • Auth Gateway Azure AD MFA works but is far more difficult to implement. AWS also has a solution (but I haven’t tried it)
QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc The Weapon of Choice for Incident Responders www.infocyte.com

More Related Content

DFIR Training: RDP Triage

  • 1. DFIR Training Remote Desktop Protocol (RDP) Triage 4/15/2020
  • 2. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Overview Situation: • Network is compromised but they didn’t leave behind a RAT (malware used Remote Access) • Malware of Choice: Exposed or Tunneled RDP Today’s Training: • RDP Protocol & Attack Vectors • Host-level Triage of RDP – Event Logs – Sysmon / EDR • Recommendations for Securing RDP
  • 4. DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Source: https://www.awingu.com/demystifying-rdp-understanding-rdp-vdi-rds/
  • 5. DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Description: Default remote session protocol for all Microsoft Windows versions. Used extensively in organizations for server management, remote desktop, VDI, and cloud management. Protocol Implementation Ports OS Meant For RDP TCP/UDP 3389 Windows Clients (XP+) Internal (insecure) RD Gateway (HTTPS/SSL) TCP 443 UDP 3391 (Streaming) Windows Server 2k8R2+ External (securable) Services Using RDP Description Virtual Desktop (VDI) Remote Dedicated VM Remote Desktop Services (RDS) Remote Shared VM Hyper-V / Azure GUI Emulation
  • 7. DFIR Training - Gerritz (Infocyte) RDP Attacks Dominate Coveware (IR Company) reported that the 1Q of 2019: • 63.5 percent of their ransomware cases relied on RDP as an entry vector. • Pre-BlueKeep Millions of exposed RDP ports on the web (Shodan) Source: https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases
  • 8. DFIR Training - Gerritz (Infocyte) RDP Vulnerabilities Description: Plenty of RCE vulnerabilities in RDP (most of these target channels on TCP/UDP 3389 or UDP 3391) Name CVE Scope Description BlueKeep CVE-2019-0708 Remote / Pre- Auth Used to execute remote code on RDP Servers on older OS servers/clients. DejaBlue CVE-2019-1181, 1182, 1222, etc. Remote / Pre- Auth BlueKeep-style vulns for modern OS’s RDP Path Traversal CVE 2019-0887 Lateral Turns compromised RDP Server into watering hole (pwn connecting clients) BlueGate CVE-2020-0609 CVE-2020-0610 Remote / Pre- Auth Used to DoS or execute remote code on RD Gateways listening on UDP 3391
  • 9. DFIR Training - Gerritz (Infocyte) RDP Attacks RCE Vulns Lateral Movement Session Hijack RDP as entry vector via Vuln Weak Auth RDP as entry vector via weak passwords (most popular) Credentialed RDP within Network Enable for non-malware Persistence RDP Watering Hole attack via Path Traversal (CVE 2019-0887) (pwn connecting clients to elevate to DA) Hijack session from compromised home office to corporate network (Priv Escalation)
  • 11. DFIR Training - Gerritz (Infocyte) RDP Event Logs - Connections Network Connection → Authentication → Logon → Reconnect → Activity → Logoff Log: Microsoft-Windows-Terminal-Services- RemoteConnectionManager/Operational Id 1149 (Connection) User Network Authentication (Logon screen displayed) Includes Source IP Usefulness: Low (Can be noisy) Associated to Id 131 (Connection Accepted) and Id 132 (Channel Connected) Log: Security Id 4624 (Authentication) Logon (Type 10) Includes Source IP, UserSID and LoginID Usefulness: High -- Type 3 is an additional event for NLA- enabled session Type 7 for Reconnects (Associated to Id 21) Log: Security Id 4778 (Authentication) Reconnect (Type 10) Includes Source IP + LoginID Usefulness: Medium (unreliable) -- New LoginID is sometimes generated (need it for proces_create correlation) (Associated to Id 25)
  • 12. DFIR Training - Gerritz (Infocyte) RDP Event Logs - Sessions Network Connection → Authentication → Session → Reconnects → Activity → Logoff Log: Microsoft-Windows-TerminalServices- LocalSessionManager/Operational Id 21, 24, 25 (Session Logon) RDP Session Created (21), Disconnected (24), Reconnected (25) Includes Source IP & SessionID Usefulness: Medium (timelining)
  • 13. DFIR Training - Gerritz (Infocyte) RDP Other Important Events Log: Security or Sysmon/EDR Id 4688 (Sysmon Id 1) Process Create Includes LogonId and UserSID Usefulness: High when correlated with 4624 Correlate with LogonId & SID Other Important Events to Consider: Startup folder - File Creation Events (Sysmon Id 11) Network Connection → Authentication → Session → Reconnect → Activity → Logoff
  • 14. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts EventLog Parsers • Get-SysmonEvents https://gist.github.com/singlethreaded/df6d810a95ca8fd6874be26e06a73320 • ConvertFrom-WinEvent https://gist.github.com/singlethreaded/77f873ecaf6318750e270610ae6b35bd • RDP Triage Script https://gist.github.com/singlethreaded/c730e559f868f5380d7d5ccd2a56928e • RDP Triage Infocyte Extension https://github.com/Infocyte/extensions/blob/master/official/collection/rdp_triage.lua
  • 16. DFIR Training - Gerritz (Infocyte) Securing Publicly Available Services Every IP on the internet is being bombarded by malicious requests... Required Security Features for globally accessible services: • SSL Certificates for Authentication (Verifies endpoint) • Transport Encryption (i.e. HTTPS/TLS) – Note: RDP is already encrypted so HTTPS wrapper is mostly redundant • Brute Force Mitigation (i.e. IP Auto-blocker on failed auth or malformed requests) • Multi-Factor Authentication • DDoS protection (i.e. Cloudflare) [Recommended]
  • 17. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts RDP Can Be Secured RDP can be an acceptable and secure remoting solution if configured correctly... Recommendations: • Enforce Network Level Authentication (DOUBLEPULSAR no like) enabled clients • Use an RDP Gateway Solution (RD Gateway Role on Windows Server) – Requires a valid SSL Certificate – DO NOT self-sign certificates (unless you hate your users and/or your helpdesk) • Enforce Two-Factor Authentication (2FA) • IP Restrict RD Gateway or restrict to VPN if you can’t enable 2FA Guide: ttps://turbofuture.com/computers/How-To-Setup-a-Remote-Desktop-Gateway-Windows-Server-2016 Azure MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
  • 18. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Network Level Authentication (NLA) NLA completes user authentication before establishing the RD connection (before logon screen appears). Not foolproof but many pre-auth vulns are rendered useless Configuration: Easy • Requires Windows Hosts AND Clients with RDC Version 6.0+ (Windows Vista+) – Some Linux & OSX 3rd party clients have support – Default on Windows 10 / Server 2012R2+ https://social.technet.microsoft.com/wiki/contents/articles/5490.configure-network-level-authentication-for- remote-desktop-services-connections.aspx
  • 19. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Securing RDP - Reality “A service is only as secure as it is convenient to do so” - Overheard at a con Reality Check: • Fully securing RDP is a royal pain for most SMBs – RDP Gateway + NPS Policy Server + RADIUS? – Purchase an SSL Certificate? • Can we all just block RDP? The trend is against us... Thanks, dude…
  • 20. DFIR Training - Gerritz (Infocyte) https://duo.com/docs/rdgateway Commercial Solutions Dou has one of the easiest to implement RD Gateway solutions I’ve seen: • Automatic 2FA • Auth Gateway Azure AD MFA works but is far more difficult to implement. AWS also has a solution (but I haven’t tried it)
  • 21. QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc The Weapon of Choice for Incident Responders www.infocyte.com