Detect compromised RDP sessions with Microsoft Defender for Endpoint
Published Aug 05 2024 08:20 AM 16.3K Views
Microsoft

Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveraging intelligence and social engineering. One of the most common tools human operators use is Remote Desktop Protocol (RDP), which gives attackers not only control, but also Graphical User Interface (GUI) visibility on remote computers. As RDP is such a popular tool in human operated attacks, it allows defenders to use the RDP context as a strong incriminator of suspicious activities. And therefore, detect Indicators of Compromise (IOCs) and act on them.

 

That’s why today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.  

 

Remote session information 

The new layer adds 8 extra fields, represented as new columns in Advanced Hunting, expands the schema across various tables. These columns enrich process information by including session details, augmenting the contextual data related to remote activities.

 

  1. InitiatingProcessSessionId - Windows session ID of the initiating process 
  2. CreatedProcessSessionId - Windows session ID of the created process 
  3. IsInitiatingProcessRemoteSession - Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).  
  4. IsProcessRemoteSession - Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false).  
  5. InitiatingProcessRemoteSessionDeviceName -   Device name of the remote device from which the initiating process’s RDP session was initiated. 
  6. ProcessRemoteSessionDeviceName - Device name of the remote device from which the created process’s RDP session was initiated. 
  7. InitiatingProcessRemoteSessionIP - IP address of the remote device from which the initiating process’s RDP session was initiated. 
  8. ProcessRemoteSessionIP - IP address of the remote device from which the created process’s RDP session was initiated. 

The data will be available in the following tables: 

 

Table Name 

Initiating process 

Created Process 

DeviceEvents 

Yes 

Yes, where relevant 

DeviceProcessEvents 

Yes 

Yes 

DeviceFileEvents 

Yes 

No 

DeviceImageLoadEvents 

Yes 

No 

DeviceLogonEvents 

Yes 

No 

DeviceNetworkEvents 

Yes 

No 

DeviceRegistryEvents 

Yes 

No 

 

Detect human-operated ransomware attacks that use RDP 

Defender for Endpoint machine learning models use data from remote sessions to identify patterns of malicious activity. They assess user interactions with devices via RDP by examining more than 100 characteristics and apply a machine learning classifier to determine if the behavior is consistent with hands-on-keyboard-based attacks. 

 

Image 1: Ransomware attack incident investigationImage 1: Ransomware attack incident investigation

 

 

 

 

Detect suspicious RDP sessions 

 

Another model uses remote session information to identify suspicious remote sessions. Outlined below is an example of a suspect RDP session where harmful tools, commonly used by attackers in ransomware campaigns and other malicious activities, are deployed, setting off a high-severity alert.  

 

SaarCohen_2-1721753186979.png

 

SaarCohen_3-1721753195215.png

 

This context is also available in Advanced Hunting for custom detection and investigation purposes.  

An Advanced Hunting query can be used to display all processes initiated by a source IP during an RDP session. This query can be adjusted to fit all the supported tables. 

 

DeviceProcessEvents 

| where Timestamp >= ago(1d) 

| where IsInitiatingProcessRemoteSession == "True" 

| where InitiatingProcessRemoteSessionIP == "X.X.X.X" // Insert your IP Address here 

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine 

 

Another query can be used to highlight actions performed remotely by a compromised account. This query can be adjusted to fit all the supported tables. 

 

DeviceProcessEvents 

| where Timestamp >= ago(7d) 

| where InitiatingProcessAccountSid == "SID" // Insert the compromised account SID here 

| where IsInitiatingProcessRemoteSession == "True" 

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine 

 

You can also hunt for tampering attempts. Conducting this remotely across numerous devices can signal a broad attempt at tampering prior to an attack being launched. 

 

DeviceRegistryEvents 

| where Timestamp >= ago(7d) 

| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" 

| where RegistryValueName == "DisableAntiSpyware" 

| where RegistryValueType == "Dword" 

| where RegistryValueData == 1 

| where IsInitiatingProcessRemoteSession == true 

 

SaarCohen_1-1721753124145.png

 

Comprehensive endpoint security  

The ability to identify malicious use of RDP in Defender for Endpoint gives admins more granular visibility and control over detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape.  

For more information: 

9 Comments
Version history
Last update:
‎Aug 01 2024 05:24 PM
Updated by: