SlideShare a Scribd company logo

DFIR Training: RDP Triage

Download as PPTX, PDF
Christopher Gerritz
Christopher Gerritz

This document provides an overview and summary of a training on analyzing malicious RDP usage. It begins with an introduction to the common use of RDP in attacks. It then covers RDP protocols, vulnerabilities, and common attack vectors like exploiting pre-authentication vulnerabilities. The document discusses analyzing RDP event logs and connections to detect malicious activity. It concludes with recommendations for securing RDP, such as enabling Network Level Authentication, using an RDP gateway, and implementing two-factor authentication.

Software
1 of 21
DFIR Training Remote Desktop Protocol (RDP) Triage 4/15/2020
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Overview Situation: • Network is compromised but they didn’t leave behind a RAT (malware used Remote Access) • Malware of Choice: Exposed or Tunneled RDP Today’s Training: • RDP Protocol & Attack Vectors • Host-level Triage of RDP – Event Logs – Sysmon / EDR • Recommendations for Securing RDP
Remote Desktop Protocol (RDP)
DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Source: https://www.awingu.com/demystifying-rdp-understanding-rdp-vdi-rds/
DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Description: Default remote session protocol for all Microsoft Windows versions. Used extensively in organizations for server management, remote desktop, VDI, and cloud management. Protocol Implementation Ports OS Meant For RDP TCP/UDP 3389 Windows Clients (XP+) Internal (insecure) RD Gateway (HTTPS/SSL) TCP 443 UDP 3391 (Streaming) Windows Server 2k8R2+ External (securable) Services Using RDP Description Virtual Desktop (VDI) Remote Dedicated VM Remote Desktop Services (RDS) Remote Shared VM Hyper-V / Azure GUI Emulation
RDP Attack Vectors
DFIR Training - Gerritz (Infocyte) RDP Attacks Dominate Coveware (IR Company) reported that the 1Q of 2019: • 63.5 percent of their ransomware cases relied on RDP as an entry vector. • Pre-BlueKeep Millions of exposed RDP ports on the web (Shodan) Source: https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases
DFIR Training - Gerritz (Infocyte) RDP Vulnerabilities Description: Plenty of RCE vulnerabilities in RDP (most of these target channels on TCP/UDP 3389 or UDP 3391) Name CVE Scope Description BlueKeep CVE-2019-0708 Remote / Pre- Auth Used to execute remote code on RDP Servers on older OS servers/clients. DejaBlue CVE-2019-1181, 1182, 1222, etc. Remote / Pre- Auth BlueKeep-style vulns for modern OS’s RDP Path Traversal CVE 2019-0887 Lateral Turns compromised RDP Server into watering hole (pwn connecting clients) BlueGate CVE-2020-0609 CVE-2020-0610 Remote / Pre- Auth Used to DoS or execute remote code on RD Gateways listening on UDP 3391
DFIR Training - Gerritz (Infocyte) RDP Attacks RCE Vulns Lateral Movement Session Hijack RDP as entry vector via Vuln Weak Auth RDP as entry vector via weak passwords (most popular) Credentialed RDP within Network Enable for non-malware Persistence RDP Watering Hole attack via Path Traversal (CVE 2019-0887) (pwn connecting clients to elevate to DA) Hijack session from compromised home office to corporate network (Priv Escalation)
Triaging Malicious RDP Usage
DFIR Training - Gerritz (Infocyte) RDP Event Logs - Connections Network Connection → Authentication → Logon → Reconnect → Activity → Logoff Log: Microsoft-Windows-Terminal-Services- RemoteConnectionManager/Operational Id 1149 (Connection) User Network Authentication (Logon screen displayed) Includes Source IP Usefulness: Low (Can be noisy) Associated to Id 131 (Connection Accepted) and Id 132 (Channel Connected) Log: Security Id 4624 (Authentication) Logon (Type 10) Includes Source IP, UserSID and LoginID Usefulness: High -- Type 3 is an additional event for NLA- enabled session Type 7 for Reconnects (Associated to Id 21) Log: Security Id 4778 (Authentication) Reconnect (Type 10) Includes Source IP + LoginID Usefulness: Medium (unreliable) -- New LoginID is sometimes generated (need it for proces_create correlation) (Associated to Id 25)
DFIR Training - Gerritz (Infocyte) RDP Event Logs - Sessions Network Connection → Authentication → Session → Reconnects → Activity → Logoff Log: Microsoft-Windows-TerminalServices- LocalSessionManager/Operational Id 21, 24, 25 (Session Logon) RDP Session Created (21), Disconnected (24), Reconnected (25) Includes Source IP & SessionID Usefulness: Medium (timelining)
DFIR Training - Gerritz (Infocyte) RDP Other Important Events Log: Security or Sysmon/EDR Id 4688 (Sysmon Id 1) Process Create Includes LogonId and UserSID Usefulness: High when correlated with 4624 Correlate with LogonId & SID Other Important Events to Consider: Startup folder - File Creation Events (Sysmon Id 11) Network Connection → Authentication → Session → Reconnect → Activity → Logoff
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts EventLog Parsers • Get-SysmonEvents https://gist.github.com/singlethreaded/df6d810a95ca8fd6874be26e06a73320 • ConvertFrom-WinEvent https://gist.github.com/singlethreaded/77f873ecaf6318750e270610ae6b35bd • RDP Triage Script https://gist.github.com/singlethreaded/c730e559f868f5380d7d5ccd2a56928e • RDP Triage Infocyte Extension https://github.com/Infocyte/extensions/blob/master/official/collection/rdp_triage.lua
Recommendations
DFIR Training - Gerritz (Infocyte) Securing Publicly Available Services Every IP on the internet is being bombarded by malicious requests... Required Security Features for globally accessible services: • SSL Certificates for Authentication (Verifies endpoint) • Transport Encryption (i.e. HTTPS/TLS) – Note: RDP is already encrypted so HTTPS wrapper is mostly redundant • Brute Force Mitigation (i.e. IP Auto-blocker on failed auth or malformed requests) • Multi-Factor Authentication • DDoS protection (i.e. Cloudflare) [Recommended]
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts RDP Can Be Secured RDP can be an acceptable and secure remoting solution if configured correctly... Recommendations: • Enforce Network Level Authentication (DOUBLEPULSAR no like) enabled clients • Use an RDP Gateway Solution (RD Gateway Role on Windows Server) – Requires a valid SSL Certificate – DO NOT self-sign certificates (unless you hate your users and/or your helpdesk) • Enforce Two-Factor Authentication (2FA) • IP Restrict RD Gateway or restrict to VPN if you can’t enable 2FA Guide: ttps://turbofuture.com/computers/How-To-Setup-a-Remote-Desktop-Gateway-Windows-Server-2016 Azure MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Network Level Authentication (NLA) NLA completes user authentication before establishing the RD connection (before logon screen appears). Not foolproof but many pre-auth vulns are rendered useless Configuration: Easy • Requires Windows Hosts AND Clients with RDC Version 6.0+ (Windows Vista+) – Some Linux & OSX 3rd party clients have support – Default on Windows 10 / Server 2012R2+ https://social.technet.microsoft.com/wiki/contents/articles/5490.configure-network-level-authentication-for- remote-desktop-services-connections.aspx
DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Securing RDP - Reality “A service is only as secure as it is convenient to do so” - Overheard at a con Reality Check: • Fully securing RDP is a royal pain for most SMBs – RDP Gateway + NPS Policy Server + RADIUS? – Purchase an SSL Certificate? • Can we all just block RDP? The trend is against us... Thanks, dude…
DFIR Training - Gerritz (Infocyte) https://duo.com/docs/rdgateway Commercial Solutions Dou has one of the easiest to implement RD Gateway solutions I’ve seen: • Automatic 2FA • Auth Gateway Azure AD MFA works but is far more difficult to implement. AWS also has a solution (but I haven’t tried it)
QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc The Weapon of Choice for Incident Responders www.infocyte.com

Recommended

Dpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricataDpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricata
Vipin Varghese
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
Splunk
 
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
eG Innovations
 
Bypass pfsense
Bypass pfsenseBypass pfsense
Bypass pfsense
SalmenHAJJI1
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
CAS
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 

Recommended

Dpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricataDpdk frame pipeline for ips ids suricata
Dpdk frame pipeline for ips ids suricata
Vipin Varghese
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
Splunk
 
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
Citrix Troubleshooting 101: How to Resolve and Prevent Business-Impacting Cit...
eG Innovations
 
Bypass pfsense
Bypass pfsenseBypass pfsense
Bypass pfsense
SalmenHAJJI1
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
CAS
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
SolarWinds
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
FIDO Alliance
 
NETWORK OPERATION CENTER
NETWORK OPERATION CENTERNETWORK OPERATION CENTER
NETWORK OPERATION CENTER
Rolando Rodriguez
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
Zscaler
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
Christian Posta
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
neoalt
 
Disaster recovery solution
Disaster recovery solutionDisaster recovery solution
Disaster recovery solution
Anton An
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
Sam Bowne
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment system
Dan H
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
ReZa AdineH
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
MarketingArrowECS_CZ
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges
BeyondTrust
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
YouAttestSlideshare
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
Concentrated Technology
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
Josh Liburdi
 

More Related Content

What's hot

Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
SolarWinds
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
FIDO Alliance
 
NETWORK OPERATION CENTER
NETWORK OPERATION CENTERNETWORK OPERATION CENTER
NETWORK OPERATION CENTER
Rolando Rodriguez
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
Zscaler
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
Christian Posta
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
neoalt
 
Disaster recovery solution
Disaster recovery solutionDisaster recovery solution
Disaster recovery solution
Anton An
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
Sam Bowne
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment system
Dan H
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
ReZa AdineH
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
MarketingArrowECS_CZ
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges
BeyondTrust
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
YouAttestSlideshare
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 

What's hot (20)

Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
 
NETWORK OPERATION CENTER
NETWORK OPERATION CENTERNETWORK OPERATION CENTER
NETWORK OPERATION CENTER
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
Disaster recovery solution
Disaster recovery solutionDisaster recovery solution
Disaster recovery solution
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
Workshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment systemWorkshop 101 - Penetration testing & Vulnerability assessment system
Workshop 101 - Penetration testing & Vulnerability assessment system
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 

Similar to DFIR Training: RDP Triage

WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
Concentrated Technology
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
Josh Liburdi
 
Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise
Microsoft TechNet - Belgium and Luxembourg
 
DCV
DCVDCV
DCV
Ahtesham Husain Shaikh
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Dynamic Server Provisioning With Ops Manager and Hyper-V
Dynamic Server Provisioning With Ops Manager and Hyper-VDynamic Server Provisioning With Ops Manager and Hyper-V
Dynamic Server Provisioning With Ops Manager and Hyper-VAmit Gatenyo
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterPaulo Freitas
 
Remote Desktop Services Component Architecture
Remote Desktop Services Component ArchitectureRemote Desktop Services Component Architecture
Remote Desktop Services Component ArchitecturePaulo Freitas
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 SecurityAmit Gatenyo
 
Microsoft RDS, VDI, RemoteFX and what Service Pack 1 will bring us
Microsoft RDS, VDI, RemoteFX and what Service Pack 1 will bring usMicrosoft RDS, VDI, RemoteFX and what Service Pack 1 will bring us
Microsoft RDS, VDI, RemoteFX and what Service Pack 1 will bring us
Ronnie Isherwood
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Tim Martin
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Julien Vermillard
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
Karri Huhtanen
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
Julien Vermillard
 
Getting the most out of RDS (Terminal Services)
Getting the most out of RDS (Terminal Services)Getting the most out of RDS (Terminal Services)
Getting the most out of RDS (Terminal Services)Amit Gatenyo
 
4-13Levi Morey
4-13Levi Morey4-13Levi Morey
4-13Levi MoreyLevi Morey
 

Similar to DFIR Training: RDP Triage (20)

WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services...
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
 
Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise
 
DCV
DCVDCV
DCV
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Dynamic Server Provisioning With Ops Manager and Hyper-V
Dynamic Server Provisioning With Ops Manager and Hyper-VDynamic Server Provisioning With Ops Manager and Hyper-V
Dynamic Server Provisioning With Ops Manager and Hyper-V
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 Poster
 
Remote Desktop Services Component Architecture
Remote Desktop Services Component ArchitectureRemote Desktop Services Component Architecture
Remote Desktop Services Component Architecture
 
Windows 2008 R2 Security
Windows 2008 R2 SecurityWindows 2008 R2 Security
Windows 2008 R2 Security
 
Microsoft RDS, VDI, RemoteFX and what Service Pack 1 will bring us
Microsoft RDS, VDI, RemoteFX and what Service Pack 1 will bring usMicrosoft RDS, VDI, RemoteFX and what Service Pack 1 will bring us
Microsoft RDS, VDI, RemoteFX and what Service Pack 1 will bring us
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Getting the most out of RDS (Terminal Services)
Getting the most out of RDS (Terminal Services)Getting the most out of RDS (Terminal Services)
Getting the most out of RDS (Terminal Services)
 
4-13Levi Morey
4-13Levi Morey4-13Levi Morey
4-13Levi Morey
 

Recently uploaded

Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
KrzysztofKkol1
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
ayushiqss
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
MayankTawar1
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 

Recently uploaded (20)

Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Why React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdfWhy React Native as a Strategic Advantage for Startup Innovation.pdf
Why React Native as a Strategic Advantage for Startup Innovation.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 

DFIR Training: RDP Triage

  • 1. DFIR Training Remote Desktop Protocol (RDP) Triage 4/15/2020
  • 2. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Overview Situation: • Network is compromised but they didn’t leave behind a RAT (malware used Remote Access) • Malware of Choice: Exposed or Tunneled RDP Today’s Training: • RDP Protocol & Attack Vectors • Host-level Triage of RDP – Event Logs – Sysmon / EDR • Recommendations for Securing RDP
  • 4. DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Source: https://www.awingu.com/demystifying-rdp-understanding-rdp-vdi-rds/
  • 5. DFIR Training - Gerritz (Infocyte) Remote Desktop Protocol (RDP) Description: Default remote session protocol for all Microsoft Windows versions. Used extensively in organizations for server management, remote desktop, VDI, and cloud management. Protocol Implementation Ports OS Meant For RDP TCP/UDP 3389 Windows Clients (XP+) Internal (insecure) RD Gateway (HTTPS/SSL) TCP 443 UDP 3391 (Streaming) Windows Server 2k8R2+ External (securable) Services Using RDP Description Virtual Desktop (VDI) Remote Dedicated VM Remote Desktop Services (RDS) Remote Shared VM Hyper-V / Azure GUI Emulation
  • 7. DFIR Training - Gerritz (Infocyte) RDP Attacks Dominate Coveware (IR Company) reported that the 1Q of 2019: • 63.5 percent of their ransomware cases relied on RDP as an entry vector. • Pre-BlueKeep Millions of exposed RDP ports on the web (Shodan) Source: https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases
  • 8. DFIR Training - Gerritz (Infocyte) RDP Vulnerabilities Description: Plenty of RCE vulnerabilities in RDP (most of these target channels on TCP/UDP 3389 or UDP 3391) Name CVE Scope Description BlueKeep CVE-2019-0708 Remote / Pre- Auth Used to execute remote code on RDP Servers on older OS servers/clients. DejaBlue CVE-2019-1181, 1182, 1222, etc. Remote / Pre- Auth BlueKeep-style vulns for modern OS’s RDP Path Traversal CVE 2019-0887 Lateral Turns compromised RDP Server into watering hole (pwn connecting clients) BlueGate CVE-2020-0609 CVE-2020-0610 Remote / Pre- Auth Used to DoS or execute remote code on RD Gateways listening on UDP 3391
  • 9. DFIR Training - Gerritz (Infocyte) RDP Attacks RCE Vulns Lateral Movement Session Hijack RDP as entry vector via Vuln Weak Auth RDP as entry vector via weak passwords (most popular) Credentialed RDP within Network Enable for non-malware Persistence RDP Watering Hole attack via Path Traversal (CVE 2019-0887) (pwn connecting clients to elevate to DA) Hijack session from compromised home office to corporate network (Priv Escalation)
  • 11. DFIR Training - Gerritz (Infocyte) RDP Event Logs - Connections Network Connection → Authentication → Logon → Reconnect → Activity → Logoff Log: Microsoft-Windows-Terminal-Services- RemoteConnectionManager/Operational Id 1149 (Connection) User Network Authentication (Logon screen displayed) Includes Source IP Usefulness: Low (Can be noisy) Associated to Id 131 (Connection Accepted) and Id 132 (Channel Connected) Log: Security Id 4624 (Authentication) Logon (Type 10) Includes Source IP, UserSID and LoginID Usefulness: High -- Type 3 is an additional event for NLA- enabled session Type 7 for Reconnects (Associated to Id 21) Log: Security Id 4778 (Authentication) Reconnect (Type 10) Includes Source IP + LoginID Usefulness: Medium (unreliable) -- New LoginID is sometimes generated (need it for proces_create correlation) (Associated to Id 25)
  • 12. DFIR Training - Gerritz (Infocyte) RDP Event Logs - Sessions Network Connection → Authentication → Session → Reconnects → Activity → Logoff Log: Microsoft-Windows-TerminalServices- LocalSessionManager/Operational Id 21, 24, 25 (Session Logon) RDP Session Created (21), Disconnected (24), Reconnected (25) Includes Source IP & SessionID Usefulness: Medium (timelining)
  • 13. DFIR Training - Gerritz (Infocyte) RDP Other Important Events Log: Security or Sysmon/EDR Id 4688 (Sysmon Id 1) Process Create Includes LogonId and UserSID Usefulness: High when correlated with 4624 Correlate with LogonId & SID Other Important Events to Consider: Startup folder - File Creation Events (Sysmon Id 11) Network Connection → Authentication → Session → Reconnect → Activity → Logoff
  • 14. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts EventLog Parsers • Get-SysmonEvents https://gist.github.com/singlethreaded/df6d810a95ca8fd6874be26e06a73320 • ConvertFrom-WinEvent https://gist.github.com/singlethreaded/77f873ecaf6318750e270610ae6b35bd • RDP Triage Script https://gist.github.com/singlethreaded/c730e559f868f5380d7d5ccd2a56928e • RDP Triage Infocyte Extension https://github.com/Infocyte/extensions/blob/master/official/collection/rdp_triage.lua
  • 16. DFIR Training - Gerritz (Infocyte) Securing Publicly Available Services Every IP on the internet is being bombarded by malicious requests... Required Security Features for globally accessible services: • SSL Certificates for Authentication (Verifies endpoint) • Transport Encryption (i.e. HTTPS/TLS) – Note: RDP is already encrypted so HTTPS wrapper is mostly redundant • Brute Force Mitigation (i.e. IP Auto-blocker on failed auth or malformed requests) • Multi-Factor Authentication • DDoS protection (i.e. Cloudflare) [Recommended]
  • 17. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts RDP Can Be Secured RDP can be an acceptable and secure remoting solution if configured correctly... Recommendations: • Enforce Network Level Authentication (DOUBLEPULSAR no like) enabled clients • Use an RDP Gateway Solution (RD Gateway Role on Windows Server) – Requires a valid SSL Certificate – DO NOT self-sign certificates (unless you hate your users and/or your helpdesk) • Enforce Two-Factor Authentication (2FA) • IP Restrict RD Gateway or restrict to VPN if you can’t enable 2FA Guide: ttps://turbofuture.com/computers/How-To-Setup-a-Remote-Desktop-Gateway-Windows-Server-2016 Azure MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
  • 18. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Network Level Authentication (NLA) NLA completes user authentication before establishing the RD connection (before logon screen appears). Not foolproof but many pre-auth vulns are rendered useless Configuration: Easy • Requires Windows Hosts AND Clients with RDC Version 6.0+ (Windows Vista+) – Some Linux & OSX 3rd party clients have support – Default on Windows 10 / Server 2012R2+ https://social.technet.microsoft.com/wiki/contents/articles/5490.configure-network-level-authentication-for- remote-desktop-services-connections.aspx
  • 19. DFIR Training - Gerritz (Infocyte) Validating integrity via live forensic analysis of a set of hosts Securing RDP - Reality “A service is only as secure as it is convenient to do so” - Overheard at a con Reality Check: • Fully securing RDP is a royal pain for most SMBs – RDP Gateway + NPS Policy Server + RADIUS? – Purchase an SSL Certificate? • Can we all just block RDP? The trend is against us... Thanks, dude…
  • 20. DFIR Training - Gerritz (Infocyte) https://duo.com/docs/rdgateway Commercial Solutions Dou has one of the easiest to implement RD Gateway solutions I’ve seen: • Automatic 2FA • Auth Gateway Azure AD MFA works but is far more difficult to implement. AWS also has a solution (but I haven’t tried it)
  • 21. QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc The Weapon of Choice for Incident Responders www.infocyte.com