Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveraging intelligence and social engineering. One of the most common tools human operators use is Remote Desktop Protocol (RDP), which gives attackers not only control, but also Graphical User Interface (GUI) visibility on remote computers. As RDP is such a popular tool in human operated attacks, it allows defenders to use the RDP context as a strong incriminator of suspicious activities. And therefore, detect Indicators of Compromise (IOCs) and act on them.
That’s why today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.
Remote session information
The new layer adds 8 extra fields, represented as new columns in Advanced Hunting, expands the schema across various tables. These columns enrich process information by including session details, augmenting the contextual data related to remote activities.
The data will be available in the following tables:
Table Name |
Initiating process |
Created Process |
DeviceEvents |
Yes |
Yes, where relevant |
DeviceProcessEvents |
Yes |
Yes |
DeviceFileEvents |
Yes |
No |
DeviceImageLoadEvents |
Yes |
No |
DeviceLogonEvents |
Yes |
No |
DeviceNetworkEvents |
Yes |
No |
DeviceRegistryEvents |
Yes |
No |
Detect human-operated ransomware attacks that use RDP
Defender for Endpoint machine learning models use data from remote sessions to identify patterns of malicious activity. They assess user interactions with devices via RDP by examining more than 100 characteristics and apply a machine learning classifier to determine if the behavior is consistent with hands-on-keyboard-based attacks.
Detect suspicious RDP sessions
Another model uses remote session information to identify suspicious remote sessions. Outlined below is an example of a suspect RDP session where harmful tools, commonly used by attackers in ransomware campaigns and other malicious activities, are deployed, setting off a high-severity alert.
This context is also available in Advanced Hunting for custom detection and investigation purposes.
An Advanced Hunting query can be used to display all processes initiated by a source IP during an RDP session. This query can be adjusted to fit all the supported tables.
DeviceProcessEvents
| where Timestamp >= ago(1d)
| where IsInitiatingProcessRemoteSession == "True"
| where InitiatingProcessRemoteSessionIP == "X.X.X.X" // Insert your IP Address here
| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine
Another query can be used to highlight actions performed remotely by a compromised account. This query can be adjusted to fit all the supported tables.
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessAccountSid == "SID" // Insert the compromised account SID here
| where IsInitiatingProcessRemoteSession == "True"
| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine
You can also hunt for tampering attempts. Conducting this remotely across numerous devices can signal a broad attempt at tampering prior to an attack being launched.
DeviceRegistryEvents
| where Timestamp >= ago(7d)
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
| where RegistryValueName == "DisableAntiSpyware"
| where RegistryValueType == "Dword"
| where RegistryValueData == 1
| where IsInitiatingProcessRemoteSession == true
Comprehensive endpoint security
The ability to identify malicious use of RDP in Defender for Endpoint gives admins more granular visibility and control over detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape.
For more information:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.