<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Remote Desktop Services - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/remote-desktop-services/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/remote-desktop-services/feed.xml" rel="self" type="application/rss+xml"/><item><title>RDP (Remote Desktop Protocol) from the Internet</title><link>https://feed.craftedsignal.io/briefs/2024-01-rdp-internet/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-rdp-internet/</guid><description>This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.</description><content:encoded><![CDATA[<p>Remote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a publicly accessible RDP service.</li>
<li>The attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).</li>
<li>Upon successful authentication or exploitation, the attacker gains remote access to the targeted system.</li>
<li>The attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.</li>
<li>The attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.</li>
<li>The attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).</li>
<li>The attacker gathers sensitive data from internal systems.</li>
<li>The attacker exfiltrates the stolen data to an external server or deploys ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;RDP (Remote Desktop Protocol) from the Internet&quot; Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.</li>
<li>Review firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.</li>
<li>Enable and monitor network traffic logs (category: <code>network_traffic</code>, product: <code>windows|linux|macos</code>) to provide data for the Sigma rule.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.</li>
<li>Implement network segmentation to limit the blast radius of a potential RDP compromise.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>command-and-control</category><category>lateral-movement</category><category>initial-access</category><category>rdp</category></item><item><title>Potential Remote Desktop Shadowing Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/</link><pubDate>Tue, 02 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/</guid><description>This rule detects potential Remote Desktop Shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session that allows adversaries to spy on or control other user's RDP sessions.</description><content:encoded><![CDATA[<p>Remote Desktop Shadowing is a feature intended for legitimate administrative purposes, allowing administrators to view or control active RDP sessions for support and troubleshooting. However, adversaries can abuse this feature to monitor or hijack user sessions without consent, leading to unauthorized access and data compromise. This activity is detected by monitoring for modifications to the RDP Shadow registry settings and the execution of specific processes linked to shadowing, such as &quot;RdpSaUacHelper.exe&quot;, &quot;RdpSaProxy.exe&quot;, and &quot;mstsc.exe&quot; with the &quot;/shadow:*&quot; argument. The rule identifies suspicious modifications to RDP Shadow registry settings, specifically changes in &quot;HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow&quot;, and the execution of associated processes by &quot;svchost.exe&quot;. This activity can originate from internal or external actors and has been observed in various attacks aimed at lateral movement and data theft. Defenders should prioritize detection and prevention of RDP shadowing to prevent unauthorized access and session hijacking.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the target system through compromised credentials or other means.</li>
<li>The attacker modifies the RDP Shadow registry key <code>HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow</code> to enable shadowing. This may involve setting the value to &quot;1&quot;, &quot;2&quot;, &quot;3&quot;, or &quot;4&quot;.</li>
<li>The attacker uses <code>svchost.exe</code> to launch <code>RdpSaUacHelper.exe</code> or <code>RdpSaProxy.exe</code> to initiate the shadowing session.</li>
<li>Alternatively, the attacker directly executes <code>mstsc.exe</code> with the <code>/shadow:&lt;session ID&gt;</code> argument to target a specific RDP session.</li>
<li>The compromised host connects to the target RDP session, allowing the attacker to view or control the user's session.</li>
<li>The attacker monitors the user's activity, captures sensitive information, or performs malicious actions within the compromised session.</li>
<li>The attacker may use the compromised session to move laterally to other systems on the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful RDP shadowing allows an attacker to gain unauthorized access to sensitive information displayed on the user's screen. This can include credentials, financial data, or proprietary information. The attacker can also control the user's session, potentially leading to data theft, system compromise, or further lateral movement within the network. This can result in significant financial losses, reputational damage, and legal liabilities. The number of affected users depends on the scope of the attack and the number of RDP sessions targeted.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor registry modifications to <code>HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow</code> using a registry monitoring tool and deploy the &quot;RDP Shadow Registry Modification&quot; Sigma rule.</li>
<li>Alert on the execution of <code>RdpSaUacHelper.exe</code> or <code>RdpSaProxy.exe</code> spawned by <code>svchost.exe</code> using the &quot;RDP Shadow Process Execution&quot; Sigma rule.</li>
<li>Monitor for the execution of <code>mstsc.exe</code> with the <code>/shadow</code> argument using the &quot;RDP Shadow MSTSC Execution&quot; Sigma rule.</li>
<li>Review and harden RDP access policies, including multi-factor authentication and limiting RDP access to only necessary users and systems.</li>
<li>Implement enhanced monitoring and logging for RDP activities across the network.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>lateral-movement</category><category>rdp-shadowing</category><category>windows</category></item></channel></rss>