Blog Post

Microsoft Defender for Endpoint Blog

3 MIN READ

Detect compromised RDP sessions with Microsoft Defender for Endpoint

Microsoft

Aug 05, 2024

Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveraging intelligence and social engineering. One of the most common tools human operators use is Remote Desktop Protocol (RDP), which gives attackers not only control, but also Graphical User Interface (GUI) visibility on remote computers. As RDP is such a popular tool in human operated attacks, it allows defenders to use the RDP context as a strong incriminator of suspicious activities. And therefore, detect Indicators of Compromise (IOCs) and act on them.

That’s why today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.

Remote session information

The new layer adds 8 extra fields, represented as new columns in Advanced Hunting, expands the schema across various tables. These columns enrich process information by including session details, augmenting the contextual data related to remote activities.

InitiatingProcessSessionId - Windows session ID of the initiating process
CreatedProcessSessionId - Windows session ID of the created process
IsInitiatingProcessRemoteSession - Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).
IsProcessRemoteSession - Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false).
InitiatingProcessRemoteSessionDeviceName -  Device name of the remote device from which the initiating process’s RDP session was initiated.
ProcessRemoteSessionDeviceName - Device name of the remote device from which the created process’s RDP session was initiated.
InitiatingProcessRemoteSessionIP - IP address of the remote device from which the initiating process’s RDP session was initiated.
ProcessRemoteSessionIP - IP address of the remote device from which the created process’s RDP session was initiated.

The data will be available in the following tables:

Table Name	Initiating process	Created Process
DeviceEvents	Yes	Yes, where relevant
DeviceProcessEvents	Yes	Yes
DeviceFileEvents	Yes	No
DeviceImageLoadEvents	Yes	No
DeviceLogonEvents	Yes	No
DeviceNetworkEvents	Yes	No
DeviceRegistryEvents	Yes	No

Detect human-operated ransomware attacks that use RDP

Defender for Endpoint machine learning models use data from remote sessions to identify patterns of malicious activity. They assess user interactions with devices via RDP by examining more than 100 characteristics and apply a machine learning classifier to determine if the behavior is consistent with hands-on-keyboard-based attacks.

Image 1: Ransomware attack incident investigation

Detect suspicious RDP sessions

Another model uses remote session information to identify suspicious remote sessions. Outlined below is an example of a suspect RDP session where harmful tools, commonly used by attackers in ransomware campaigns and other malicious activities, are deployed, setting off a high-severity alert.

This context is also available in Advanced Hunting for custom detection and investigation purposes.

An Advanced Hunting query can be used to display all processes initiated by a source IP during an RDP session. This query can be adjusted to fit all the supported tables.

DeviceProcessEvents

| where Timestamp >= ago(1d)

| where IsInitiatingProcessRemoteSession == "True"

| where InitiatingProcessRemoteSessionIP == "X.X.X.X" // Insert your IP Address here

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine

Another query can be used to highlight actions performed remotely by a compromised account. This query can be adjusted to fit all the supported tables.

DeviceProcessEvents

| where Timestamp >= ago(7d)

| where InitiatingProcessAccountSid == "SID" // Insert the compromised account SID here

| where IsInitiatingProcessRemoteSession == "True"

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine

You can also hunt for tampering attempts. Conducting this remotely across numerous devices can signal a broad attempt at tampering prior to an attack being launched.

DeviceRegistryEvents

| where Timestamp >= ago(7d)

| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"

| where RegistryValueName == "DisableAntiSpyware"

| where RegistryValueType == "Dword"

| where RegistryValueData == 1

| where IsInitiatingProcessRemoteSession == true

Comprehensive endpoint security 
 
The ability to identify malicious use of RDP in Defender for Endpoint gives admins more granular visibility and control over detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape. 

For more information:  

Learn more about Advanced Hunting in Microsoft Defender XDR: Overview - Advanced hunting | Microsoft Learn

Learn more about Defender for Endpoint: Microsoft Defender for Endpoint | Microsoft Security

Not a Defender for Endpoint customer? Start a free trial today.

Updated Aug 02, 2024

Version 1.0

SaarCohen

Microsoft

Joined May 05, 2023

View Profile

Microsoft Defender for Endpoint Blog

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement

MikeP751860
Brass Contributor
Nov 01, 2024
Hi SaarCohen,

The Sentinel analytic rule for 'Rare RDP Connections' can be a noisy rule but we exclude the AVD hosts otherwise it would be worse. Still need to review the code to see if we can improve on it. I think we look over a 14 day period for previous RDP events to help reduce the noise.

Would be nice to get a better understanding what Defender XDR can do out of the box vs Sentinel analytic rules from the content hub. Something I feel we might be duplicating monitoring with Defender XDR better as suppressing the noise.
SaarCohen
Microsoft
Oct 29, 2024
MikeP751860 I don't have much to say about RDP nesting at the moment.

How are you using Sentinel analytic rules to reason "rare" RDP connections? 🙂
If so, can you do the same with Custom Detections Rules (In the XDR portal)?

For suspicious RDP session we consider additional incriminating factors, an anomaly or rarity alone typically doesn't trigger an alert. We can consider that though.
SaarCohen
Microsoft
Oct 29, 2024
Henk_-_Simac_IT_NL, "Suspicious RDP session" alerts are generally not blocked by default unless Automatic Attack Disruption initiates an automated response to mitigate the threat, such as identity containment.

When Automatic Attack Disruption contains an identity, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic for specific attack-related protocols (network logons, RPC, SMB, RDP), terminate ongoing remote sessions, and log off existing RDP connections (including all related processes).

As mentioned, this does not apply to all alerts/incidents, but for those deemed appropriate and considered a high-certainty True Positive, Automatic Attack Disruption will be triggered.

You can learn more about Automatic Attack Disruption here: Automatic attack disruption in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn.

And specifically, about user containment here: Take response actions on a device in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

Regarding "good mitigation", every alert comes with "Alert recommended actions" section. Like so:

In words:

"1. Isolate the affected devices and investigate to see which credentials were used to launch the process. 2. Since the attacker frequently enters via RDP brute force, check for internet-facing devices with exposed RDP. Ensure that internet-facing systems are hardened and have strong and randomized local admin passwords. 3. Check RDP settings and registry keys on systems to ensure they have not been changed by the attack to maintain persistence. 4. Investigate credential exposure on devices used by the attacker to ensure all accounts that could have been compromised by the attacker are known. Consider these accounts compromised. Reset passwords or decommission the accounts. 5. Search for additional malware backdoors such as reverse proxies on systems accessed by the attacker, on affected devices. 6. Contact your incident response team. If you don't have one, contact Microsoft support for forensic analysis and remediation services."

Naturally, the most effective mitigation strategy will vary based on the specific threat and context. While the recommendations provided above may not be universally applicable, they are intended to guide you in the right direction.

Hope that helps.
Henk_-_Simac_IT_NL
Copper Contributor
Oct 25, 2024
SaarCohen Are these detections blocked by default or what would be a good mitigation for blocking this from Defender for Endpoint?
MikeP751860
Brass Contributor
Sep 09, 2024
Thanks SaarCohen, any word on possible detections within Defender XDR for RDP Nesting? Maybe include other detections like rare RDP connection so I can kill off the Sentinel analytic rules 🙂
SaarCohen
Microsoft
Sep 09, 2024
MikeP751860 , we are working on a fix. Please expect this issue to be resolved by the end of September.
MikeP751860
Brass Contributor
Aug 30, 2024
Recently found out the Sentinel Defender XDR connector isn't pulling in the additional fields so anyone RDP Nesting custom rules would need to be in Defender 😞

Wrote this KQL for it but no time to test it yet.

(DeviceNetworkEvents
| where IsInitiatingProcessRemoteSession == "True" and ActionType has "ConnectionSuccess"
| where RemotePort == "389"
| project FirstHop = Timestamp, FirstDeviceName=DeviceName, FirstLocalIP=LocalIP, FirstRemoteURL=RemoteUrl, FirstRemoteIP=RemoteIP, Account=InitiatingProcessAccountName, AccountUPN=InitiatingProcessAccountUpn, FirstRemoteSessionDeviceName=InitiatingProcessRemoteSessionDeviceName, FirstRemoteSessionIP=InitiatingProcessRemoteSessionIP
)
| join kind=inner (
DeviceNetworkEvents
| where IsInitiatingProcessRemoteSession == "True" and ActionType has "ConnectionSuccess"
| where RemotePort == "389"
| project SecondHop = Timestamp, SecondDeviceName=DeviceName, SecondLocalIP=LocalIP, SecondRemoteURL=RemoteUrl, SecondRemoteIP=RemoteIP, Account=InitiatingProcessAccountName, AccountUPN=InitiatingProcessAccountUpn, SecondRemoteSessionDeviceName=InitiatingProcessRemoteSessionDeviceName, SecondRemoteSessionIP=InitiatingProcessRemoteSessionIP
) on Account
| where FirstRemoteSessionDeviceName != SecondRemoteSessionDeviceName
| project-reorder Account, AccountUPN, FirstHop, SecondHop, FirstRemoteSessionDeviceName, FirstRemoteSessionIP, FirstDeviceName, FirstLocalIP, SecondRemoteSessionDeviceName, SecondRemoteSessionIP, SecondDeviceName, SecondLocalIP
| project-away Account1, AccountUPN1
| where SecondRemoteSessionDeviceName has FirstDeviceName and SecondHop > FirstHop
| where SecondHop <= FirstHop+30m
MikeP751860
Brass Contributor
Aug 12, 2024
Would be interesting to see if this could help with detection of RDP nesting.
Philost
Brass Contributor
Aug 08, 2024
Hey SaarCohen - thank you to you and the team for this new insight and alerting. Another important string in the bow for defenders.
SaarCohen
Microsoft
Aug 08, 2024
tseppala, good point. We’ll take it into account, but as far as I’m aware, it’s not planned for the near future. For now, the supported tables are limited to those mentioned in the blog.