Windows Remote Desktop Network Bruteforce Attempt

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.

Attack Chain

The attacker scans the network to identify systems with open RDP ports (TCP 3389).
The attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.
The firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.
Sysmon logs the network connections with Event ID 3.
The attacker continues to attempt connections, typically exceeding 10 attempts within an hour.
Upon successful authentication, the attacker gains unauthorized access to the target system.
The attacker may then install malware, move laterally, or exfiltrate sensitive data.
The attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.

Impact

Successful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.

Recommendation

Ensure network traffic data is populating the Network_Traffic data model to enable the provided search query.
Deploy the Sigma rule RDP Bruteforce via Network Traffic to detect brute force attempts based on network connection patterns.
Adjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.
Investigate source IPs identified by the detection rule as potential attackers.
Monitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.
Review the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.

Outbound SMB Traffic Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker’s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to “Hidden Cobra Malware”, “DHS Report TA18-074A”, and “NOBELIUM Group”, suggesting possible connections to these threat actors or campaigns.

Attack Chain

An internal host is compromised through an initial access vector (e.g., phishing, exploit).
The attacker attempts to enumerate network resources accessible from the compromised host.
The attacker leverages SMB to connect to external servers, typically on ports 139 or 445.
The SMB connection attempts to authenticate or negotiate with the external server.
The attacker may attempt to exploit vulnerabilities in the SMB protocol or server.
The attacker captures or relays credential hashes transmitted over the SMB connection.
The attacker uses the captured credentials to move laterally to other systems or escalate privileges.
The attacker achieves their final objective, such as data exfiltration or system compromise.

Impact

Successful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn’t specified, the detection’s relevance to known threat actors suggests potentially widespread impact.

Recommendation

Deploy the Sigma rule Outbound SMB Traffic Detected to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.
Investigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference detect_outbound_smb_traffic_filter macro in the original search).
Implement network segmentation to restrict internal hosts from directly accessing external SMB services.
Enforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.
Categorize internal CIDR blocks as internal in your asset management system to reduce false positives (reference “known_false_positives” section).
Consider blocking external communications of all SMB versions and related protocols at the network boundary.

Secure Access Firewall — CraftedSignal Threat Feed

Windows Remote Desktop Network Bruteforce Attempt

Attack Chain

Impact

Recommendation

Outbound SMB Traffic Detection

Attack Chain

Impact

Recommendation