Skip to content

Instantly share code, notes, and snippets.

@wesinator

wesinator/ADS-T1076.md

Created October 12, 2018 23:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save wesinator/4099a5a6137c2db52c06eae1bdfd23fc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save wesinator/4099a5a6137c2db52c06eae1bdfd23fc to your computer and use it in GitHub Desktop.
Download ZIP
Example alerting and detection strategy for RDP
Raw
ADS-T1076.md

Goal

Detect Remote Desktop Protocol (RDP) activity that could indicate malicious or unauthorised access.

Categorization

This activity is categorised as Lateral Movement / Remote Desktop Protocol in the killchain and ATT&CK frameworks respectively.

Strategy Abstract

The strategy consists of:

  • Collecting Windows authentication logs
    • Checking remote logon type events for unauthorised user access
  • Collecting netflow data for TCP/3389 (or the Remote Desktop service port if alternate)

Technical Context

Remote Desktop Protocol (RDP) provides remote login and GUI session access to Windows systems that have Remote Desktop Services (RDS) enabled. This functionality can be used by attackers or unauthorised users to gain new access to systems or move laterally across systems within the environment, gaining the privileges of the selected remote user.

The following event IDS could be associated with possibly unauthorised Remote Desktop activity:

Event Code Description
4624 An account was successfully logged on. (Logon Type 10 for Remote Desktop or Terminal Services)
4625 An account failed to log on. (Logon Type 10 for Remote Desktop or Terminal Services)
4648 A logon was attempted using explicit credentials.
4778 A session was reconnected to a Window Station.

Blind Spots and Assumptions

This strategy assumes the following:

A blind spot would occur if the assumptions are untrue, e.g.:

  • Windows event logging does not work correctly.
  • Logon event auditing is not enabled.

False Positives

False Positives could easily occur for this ADS for legitimate Remote Desktop login activities:

  • Administrators or other authorised users regularly logging in via Remote Desktop.
  • Session reconnections to a previously open Remote Desktop session from a legitimate user.

Validation

Validation can be performed with the following procedure:

  • From a remote location, log in to Remote Desktop with intentionally incorrect credentials (testing event 4625).
  • Then, log in with the correct credentials on an account with remote desktop permissions (tests event 4624).
  • Disconnect and reconnect to the same remote desktop session (test event 4778).

Priority

High priority conditions:

  • Invalid login (event 4625) on an administrator account in absence of a following valid login (event 4624).
  • Successful login (event 4624) with a user account that is not expected to have remote desktop privileges.

Medium priority conditions:

  • Invalid login (event 4625) on an standard user account in absence of a following valid login (event 4624).

Low priority conditions:

  • Event 4778
  • Event 4648

Response

Validate that the user is authorised to login via remote desktop, and actually initiated the remote desktop login.

  • Check if the user is supposed to be permitted to login via remote desktop.
  • If the user is permitted to login via remote desktop, check the time and location (IP address, client host) to verify that the login activity is normal.
    • This may require a historical record of the user's remote desktop login activity to establish a baseline for what constitutes normal activity.

Additional Resources

Deny log on through Remote Desktop Services

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment