Since investigators see so many RDP artifacts in the middle of incident responses, they’ve naturally advanced just a few favourite instruments to hunt out such exercise. On this article, we’ll look broadly at a few of the choices open to defenders. Within the remaining a part of this collection, we’ll dive into just a few of our favorites, working by a few of the typical queries Sophos X-Ops investigators use to make them efficient.
First, defenders ought to familiarize themselves with 21-40 Native Session Login occasions, which cowl the everyday IDs within the Terminal Providers Native Session Supervisor operational occasion log displaying connections, disconnects, reconnections, and related actions. They need to additionally know concerning the 1149 RDP Logins question, which seems to be within the Terminal Providers Distant Connection Supervisor operational occasion log for the occasion ID 1149 (because the identify suggests) to be able to spot these profitable RDP connections.
Redundant? Maybe, however for good motive. It could be that the attacker has cleared one of many occasion logs however not the opposite, making the discrepancy itself an attention-grabbing artifact. (Over the course of 2023, Sophos X-Ops’ Incident Response crew famous that logs had been cleared in about 32% of the circumstances they dealt with.) Or it might be that there was an error in really logging that occasion for no matter motive, and one occasion log has it and the opposite doesn’t. Since each logs exist, querying them each isn’t a wasted effort.
The question referred to as RDP Logins from Exterior IPs is likewise helpful for recognizing inappropriate exercise. The identify makes it clear what the question does: It seems to be for RDP connections from exterior IP addresses, checking each of the occasion logs simply talked about. (This question gained’t flip up connections that are available by a VPN, as these connections are assigned addresses from the VPN IP pool.)
A much less generally used question with nice utility for defenders is 4624_4625 Login Occasions. This one seems to be within the safety occasion log for, as one would anticipate from the identify, 4624 occasions (indicating a profitable logon) or 4625 occasions (indicating a failed logon). These queries are most helpful when in search of network-based logons – within the logs, that’s a logon of sort 3. An RDP or Terminal Providers (distant interactive) logon, however, is a logon sort 10.
After we’re in search of attainable RDP lateral motion, this question will help us establish failed logins when Community Stage Authentication is enabled. With RDP, in case you fail to log in and Community Stage Authentication or NLA is enabled, you will note a 4625 – so, a failed logon with a logon sort 3.
The next question will likely be of use when in search of gadgets that should not have NLA enabled (for ease of copying and pasting, we’ll additionally put a duplicate of this and different helpful queries on our Github):
SELECT
path,
identify,
knowledge,
strftime(‘%Y-%m-%dTpercentH:%M:%SZ’,datetime(mtime,’unixepoch’)) AS last_modified_time
FROM registry
WHERE
key LIKE ‘HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp’
AND identify=”SecurityLayer” AND knowledge = 0
The usage of this question on this trend could also be just a little bit complicated, as a result of it’s a network-based logon — one sometimes related to one thing like (as an example) SMB – moderately than an occasion that will present lateral motion through RDP. Nonetheless, if NLA is enabled, the log reveals the failure of the try – an RDP connection was tried however didn’t succeed (4625). A failed RDP login the place NLA is enabled reveals up as a logon sort 3, because it authenticates throughout the community previous to establishing the RDP session.
Seeing failed login occasions corresponding to these can provide you with a warning to makes an attempt in your community. It might additionally provide you with a warning to misconfigurations in your atmosphere. Investigators typically search for misconfigurations as they reply to incidents; particularly, disabled NLA, together with the DisableRestrictedAdmin setting for Restricted Admin Mode, is a harmful (and customary) misconfiguration, because it removes a number of layers of potential safety protections. Defenders can subsequently usefully question the registry to search for the precise key and worth that point out that NLA is disabled, maybe discovering and fixing the error earlier than bother comes by the door.
Distant Desktop Protocol: The Collection
Half 1: Distant Desktop Protocol: Introduction (submit, video)Half 2: Distant Desktop Protocol: Uncovered RDP (is harmful) (submit, video)Half 3: RDP: Queries for Investigation ([you are here], video)Half 4: RDP Time Zone Bias (submit, video)Half 5: Executing the Exterior RDP Question (submit, video)Half 6: Executing the 4624_4625 Login Question (submit, video)GitHub question repository: SophosRapidResponse/OSQueryTranscript repository: sophoslabs/video-transcriptsYouTube playlist: Distant Desktop Protocol: The Collection