The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about Remote Desktop Protocol and how attackers use it to breach vulnerable networks (MITRE ATT&CK® Technique T1563).
What is Remote Desktop Protocol Hijacking?
Remote Desktop Protocol (RDP) is a secure communications protocol developed by Microsoft that allows users to interact with a desktop computer remotely. While various protocols exist for remote desktop software, RDP stands out as the most ubiquitous.
RDP session hijacking occurs when an adversary steals a legitimate user’s remote session. Typically, users are notified of such attempts. However, if an attacker possesses SYSTEM-level permissions, they can hijack a session without needing credentials or prompting the user. This can be done either remotely or locally, and to make matters worse, the user’s session doesn’t need to be active to be susceptible to this vulnerability.
Why You Need To Look Out For RDP Hijacking
This issue is exacerbated by attackers using techniques to conceal their malicious intent within legitimate traffic. A common example of this is the utilization of multiple RDP sessions on a single machine, providing them with persistence, lateral movement, and potential privilege escalation within a compromised network. All the while, they mask their malicious access within the normal traffic of legitimate RDP sessions.
Attackers achieve this by modifying the Windows Registry settings associated with Terminal Services and disabling the single-session-per-user limit. Once this modification is made, and if left unmonitored, distinguishing between the legitimate user session and the adversary’s activity becomes exceedingly difficult.
RDP has been an official feature of the Windows Operating System since 1998. Despite its vulnerabilities being consistently identified and patched, its value and capability it provides individuals indicate it will not be going anywhere for the foreseeable future.
Sadly, it isn’t uncommon to encounter compromised RDP servers offered on dark web forums, promoted as “staging grounds” from which attackers can conduct a myriad of potentially malicious actions.
How Can LogRhythm Help You?
Given the business-critical nature of RDP for many organizations, security teams should first review the mitigations suggested by MITRE ATT&CK® that ideally will establish an initial layer of protection against potential exploitation. Simple measures like limiting access to specific IP addresses or disabling RDP when not explicitly in use can create significant barriers to entry for attackers, potentially leading them to abandon their attempts in favor of alternative, “simpler” avenues.
However, when monitoring for the implementation of multiple RDP sessions, attackers can execute a number of specific commands that bypass the single-session limitation within the Microsoft Registry.
The rules implemented here apply to both LogRhythm SIEM and LogRhythm Axon. They are designed to specifically detect these commands as an early warning system for machines that are vulnerable to this particular type of misuse. Such alerts may occasionally flag up ignorant users instead of malicious ones. However, it is crucial to recognize that a machine is vulnerable and mitigate that risk, irrespective of the intent behind the commands.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.