{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/remote-desktop-services/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-0708"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Remote Desktop Services"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","lateral-movement","initial-access","rdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eRemote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible RDP service.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).\u003c/li\u003e\n\u003cli\u003eUpon successful authentication or exploitation, the attacker gains remote access to the targeted system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).\u003c/li\u003e\n\u003cli\u003eThe attacker gathers sensitive data from internal systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data to an external server or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;RDP (Remote Desktop Protocol) from the Internet\u0026quot; Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.\u003c/li\u003e\n\u003cli\u003eReview firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.\u003c/li\u003e\n\u003cli\u003eEnable and monitor network traffic logs (category: \u003ccode\u003enetwork_traffic\u003c/code\u003e, product: \u003ccode\u003ewindows|linux|macos\u003c/code\u003e) to provide data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential RDP compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rdp-internet/","summary":"This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.","title":"RDP (Remote Desktop Protocol) from the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-internet/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","Remote Desktop Services"],"_cs_severities":["high"],"_cs_tags":["lateral-movement","rdp-shadowing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eRemote Desktop Shadowing is a feature intended for legitimate administrative purposes, allowing administrators to view or control active RDP sessions for support and troubleshooting. However, adversaries can abuse this feature to monitor or hijack user sessions without consent, leading to unauthorized access and data compromise. This activity is detected by monitoring for modifications to the RDP Shadow registry settings and the execution of specific processes linked to shadowing, such as \u0026quot;RdpSaUacHelper.exe\u0026quot;, \u0026quot;RdpSaProxy.exe\u0026quot;, and \u0026quot;mstsc.exe\u0026quot; with the \u0026quot;/shadow:*\u0026quot; argument. The rule identifies suspicious modifications to RDP Shadow registry settings, specifically changes in \u0026quot;HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow\u0026quot;, and the execution of associated processes by \u0026quot;svchost.exe\u0026quot;. This activity can originate from internal or external actors and has been observed in various attacks aimed at lateral movement and data theft. Defenders should prioritize detection and prevention of RDP shadowing to prevent unauthorized access and session hijacking.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the RDP Shadow registry key \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow\u003c/code\u003e to enable shadowing. This may involve setting the value to \u0026quot;1\u0026quot;, \u0026quot;2\u0026quot;, \u0026quot;3\u0026quot;, or \u0026quot;4\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esvchost.exe\u003c/code\u003e to launch \u003ccode\u003eRdpSaUacHelper.exe\u003c/code\u003e or \u003ccode\u003eRdpSaProxy.exe\u003c/code\u003e to initiate the shadowing session.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker directly executes \u003ccode\u003emstsc.exe\u003c/code\u003e with the \u003ccode\u003e/shadow:\u0026lt;session ID\u0026gt;\u003c/code\u003e argument to target a specific RDP session.\u003c/li\u003e\n\u003cli\u003eThe compromised host connects to the target RDP session, allowing the attacker to view or control the user's session.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the user's activity, captures sensitive information, or performs malicious actions within the compromised session.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised session to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RDP shadowing allows an attacker to gain unauthorized access to sensitive information displayed on the user's screen. This can include credentials, financial data, or proprietary information. The attacker can also control the user's session, potentially leading to data theft, system compromise, or further lateral movement within the network. This can result in significant financial losses, reputational damage, and legal liabilities. The number of affected users depends on the scope of the attack and the number of RDP sessions targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications to \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow\u003c/code\u003e using a registry monitoring tool and deploy the \u0026quot;RDP Shadow Registry Modification\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eAlert on the execution of \u003ccode\u003eRdpSaUacHelper.exe\u003c/code\u003e or \u003ccode\u003eRdpSaProxy.exe\u003c/code\u003e spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e using the \u0026quot;RDP Shadow Process Execution\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e with the \u003ccode\u003e/shadow\u003c/code\u003e argument using the \u0026quot;RDP Shadow MSTSC Execution\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and harden RDP access policies, including multi-factor authentication and limiting RDP access to only necessary users and systems.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for RDP activities across the network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/","summary":"This rule detects potential Remote Desktop Shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session that allows adversaries to spy on or control other user's RDP sessions.","title":"Potential Remote Desktop Shadowing Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/"}],"language":"en","title":"CraftedSignal Threat Feed - Remote Desktop Services","version":"https://jsonfeed.org/version/1.1"}