Remote Desktop Protocol Misuse – Security Spotlight

Enable RDP Locally - Security Spotlight

The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.

In this Security Spotlight, we’ll be talking about Remote Desktop Protocol and monitoring its access and status within a network (MITRE ATT&CK® Technique T1021.001).

What is Remote Desktop Protocol?

Remote Desktop Protocol (RDP) is a secure communications protocol developed by Microsoft that allows users to remotely interact with a desktop computer. There exists a myriad of protocols that can be used by remote desktop software, but RDP stands out as the most ubiquitous.

While enabling RDP through the command line is a common task for system administrators, it’s imperative to consider the context. When an unfamiliar or unauthorized user endeavours to enable RDP, especially in an environment where its use is uncommon or on a system where it’s usually disabled, it could raise concerns about suspicious activities.

This could signify an attacker’s attempt to establish a means of remote system access.

Why You Need to Monitor for the Misuse of RDP

Adversaries can potentially attain extensive access to remote systems if RDP services are enabled and accessible to accounts with known credentials. These credentials are frequently obtained by adversaries through advanced Credential Access techniques, stressing the importance of robust password management and user authentication protocols.

To make matters worse, adversaries can employ RDP with Accessibility Features or Terminal Services DLL to maintain continued access to the system. This persistence poses a challenge for security measures by making it difficult to detect and eliminate the threat, emphasizing the necessity for continuous monitoring and timely system updates.

These issues that plague RDP aren’t a new phenomenon. RDP has been an official feature of the Windows Operating System since 1998, and despite vulnerabilities popping up and getting patched consistently, its inherent value to users ensures that it’s certainly not going anywhere for the foreseeable future.

Sadly, it’s not unusual to encounter compromised RDP servers being sold on dark web forums, marketed as “staging grounds” from which attackers can conduct a wide span of potentially malicious activities.

How Can LogRhythm Help You?

Given RDP’s business-critical nature to many organizations, security teams should first review the mitigation strategies recommended by MITRE ATT&CK®. These strategies include network segmentation, robust patch management, and regular audit of RDP logging. Ideally, these strategies will provide a layer of initial protection against potential exploitation.

For additional protection, we can implement a rule to monitor the status and changes made to RDP access on networked systems. Any alterations to the RDP registry key are logged, and immediate alerts will be generated in the event of any unexpected or unauthorized actions.

The rule is specifically designed to detect two primary command-line actions: Enabling RDP and Querying the RDP status. However, there does exist the issue that both of these commands are commonly used by administrators. Thankfully, by implementing a quick exclusion list that allows administrators to perform these actions without triggering alerts, you will be equipped with the necessary visibility without being overwhelmed by an avalanche of alerts.

For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.

For other Security Spotlight episodes, you can access the full playlist here.