Since investigators see so many RDP artifacts in the midst of incident responses, they’ve naturally developed just a few favourite instruments to hunt out such exercise. On this article, we’ll look broadly at a few of the choices open to defenders. Within the last a part of this collection, we’ll dive into just a few of our favorites, working by a few of the typical queries Sophos X-Ops investigators use to make them efficient.
First, defenders ought to familiarize themselves with 21-40 Native Session Login occasions, which cowl the everyday IDs within the Terminal Providers Native Session Supervisor operational occasion log displaying connections, disconnects, reconnections, and comparable actions. They need to additionally know concerning the 1149 RDP Logins question, which appears to be like within the Terminal Providers Distant Connection Supervisor operational occasion log for the occasion ID 1149 (because the identify suggests) as a way to spot these profitable RDP connections.
Redundant? Maybe, however for good cause. It could be that the attacker has cleared one of many occasion logs however not the opposite, making the discrepancy itself an attention-grabbing artifact. (Over the course of 2023, Sophos X-Ops’ Incident Response crew famous that logs had been cleared in about 32% of the instances they dealt with.) Or it might be that there was an error in truly logging that occasion for no matter cause, and one occasion log has it and the opposite doesn’t. Since each logs exist, querying them each isn’t a wasted effort.
The question known as RDP Logins from Exterior IPs is likewise helpful for recognizing inappropriate exercise. The identify makes it clear what the question does: It appears to be like for RDP connections from exterior IP addresses, checking each of the occasion logs simply talked about. (This question gained’t flip up connections that are available in by a VPN, as these connections are assigned addresses from the VPN IP pool.)
A much less generally used question with nice utility for defenders is 4624_4625 Login Occasions. This one appears to be like within the safety occasion log for, as one would anticipate from the identify, 4624 occasions (indicating a profitable logon) or 4625 occasions (indicating a failed logon). These queries are most helpful when searching for network-based logons – within the logs, that’s a logon of kind 3. An RDP or Terminal Providers (distant interactive) logon, however, is a logon kind 10.
Once we’re searching for attainable RDP lateral motion, this question may also help us determine failed logins when Community Stage Authentication is enabled. With RDP, should you fail to log in and Community Stage Authentication or NLA is enabled, you will notice a 4625 – so, a failed logon with a logon kind 3.
The next question can be of use when looking for units that do not need NLA enabled (for ease of copying and pasting, we’ll additionally put a replica of this and different helpful queries on our Github): SELECT path, identify, knowledge, strftime('%Y-%m-%dTpercentH:%M:%SZ',datetime(mtime,'unixepoch')) AS last_modified_time FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' AND identify="SecurityLayer" AND knowledge = 0
The usage of this question on this vogue could also be just a little bit complicated, as a result of it’s a network-based logon — one usually related to one thing like (as an example) SMB – reasonably than an occasion that will present lateral motion through RDP. Nevertheless, if NLA is enabled, the log reveals the failure of the try – an RDP connection was tried however didn’t succeed (4625). A failed RDP login the place NLA is enabled reveals up as a logon kind 3, because it authenticates throughout the community previous to establishing the RDP session.
Seeing failed login occasions akin to these can warn you to makes an attempt in your community. It might probably additionally warn you to misconfigurations in your setting. Investigators usually search for misconfigurations as they reply to incidents; particularly, disabled NLA, together with the DisableRestrictedAdmin setting for Restricted Admin Mode, is a harmful (and customary) misconfiguration, because it removes a number of layers of potential safety protections. Defenders can subsequently usefully question the registry to search for the particular key and worth that point out that NLA is disabled, maybe discovering and fixing the error earlier than bother comes by the door.
Distant Desktop Protocol: The Collection
Half 1: Distant Desktop Protocol: Introduction (submit, video)
Half 2: Distant Desktop Protocol: Uncovered RDP (is harmful) (submit, video)
Half 3: RDP: Queries for Investigation ([you are here], video)
Half 4: RDP Time Zone Bias (submit, video)
Half 5: Executing the Exterior RDP Question (submit, video)
Half 6: Executing the 4624_4625 Login Question (submit, video)
GitHub question repository: SophosRapidResponse/OSQuery
Transcript repository: sophoslabs/video-transcripts
YouTube playlist: Distant Desktop Protocol: The Collection
