High Variance in RDP Session Duration Detected via Machine Learning

This threat brief addresses the detection of high variance in Remote Desktop Protocol (RDP) session durations using machine learning. The detection, implemented in Elastic Security’s Lateral Movement Detection integration, aims to identify anomalous RDP usage patterns that may indicate malicious activity. Adversaries might establish long RDP sessions to maintain persistence and move laterally within a network. The prebuilt Elastic ML job “lmd_high_var_rdp_session_duration_ea” analyzes RDP session data to identify unusual deviations in session lengths, which could signify unauthorized access or malicious exploitation of compromised systems. The rule is triggered when the anomaly score exceeds a threshold of 70. Defenders should investigate any alerts generated by this rule to determine if the RDP sessions are legitimate or indicative of malicious activity.

Attack Chain

1. Initial Access: An attacker gains initial access to a system via phishing or exploiting a vulnerability (not detailed in the source).
2. RDP Enabled: The attacker enables RDP on the compromised host or utilizes existing RDP configurations.
3. Credential Theft: The attacker steals credentials from the initially compromised system (not detailed in the source).
4. Lateral Movement: Using the stolen credentials, the attacker establishes an RDP session to another host within the network.
5. Session Persistence: The attacker maintains a long and variable RDP session to the target host, potentially evading detection mechanisms.
6. Privilege Escalation: The attacker attempts to escalate privileges on the target host to gain further control (not detailed in the source).
7. Data Exfiltration/Malware Deployment: The attacker uses the established RDP session to exfiltrate sensitive data or deploy malware to other systems (not detailed in the source).

Impact

Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and potential deployment of malware or ransomware. While the exact number of potential victims is unknown, organizations that heavily rely on RDP for remote access are particularly vulnerable. This can disrupt business operations, lead to data breaches, and cause significant financial losses. The low severity of this rule reflects its nature as an anomaly detection rather than a signature-based detection of confirmed malicious activity.

Recommendation

• Ensure host.ip field is populated for Elastic Defend events by following the helper guide.
• Install the Lateral Movement Detection integration assets as described in the setup section of the rule.
• Review and tune the anomaly threshold in the “High Variance in RDP Session Duration” rule in Elastic to minimize false positives based on your environment.
• Investigate any alerts generated by the “High Variance in RDP Session Duration” rule by following the triage steps outlined in the rule’s note section.