hunting through rdp data
play

Hunting Through RDP Data BroCon 2015 Josh Liburdi 1 Quick - PowerPoint PPT Presentation

Dec 11, 2022 •437 likes •957 views

Hunting Through RDP Data BroCon 2015 Josh Liburdi 1 Quick Introduction Currently: Senior Consultant at CrowdStrike Previously: Large-scale detection at Fortune 5 Bro user for 2+ years Focus on network forensics and incident response

  1. Hunting Through RDP Data BroCon 2015 Josh Liburdi 1

  2. Quick Introduction Currently: Senior Consultant at CrowdStrike Previously: Large-scale detection at Fortune 5 Bro user for 2+ years Focus on network forensics and incident response Twitter: @jshlbrd 2

  3. Goals For This Talk You'll learn something new about RDP You'll see one of the newest Bro analyzers in action You'll leave with some useful methods to find bad guys in your network 3

  4. What's the Deal with RDP? 4

  5. RDP Key Points Enables remote system access across the network Connection is encrypted Definitely being used in your organization 5

  6. Why I'm talking about RDP Bro 2.4 has an RDP analyzer! 6

  7. Why this analyzer exists 7

  8. Protocol Details 8

  9. Protocol Details RDP connection sequence Everything that happens over TCP -> We care about a very small part of this - Connection Initiation - Basic Settings Exchange 9

  10. Protocol Details X.224 Connection Request (C) Client initiates connection - Client-supported security protocols - Connection correlation identifier - Optional routing token / cookie 10

  11. Protocol Details X.224 Connection Confirm (S) Server responds to connection initiation - Successful? Server selected protocol - Unsuccessful? Reason request failed 11

  12. Protocol Details MCS Connect Initial (C) Client sends settings data - Client computer name - Keyboard language settings - RDP client version 12

  13. Protocol Details MCS Connect Response (S) Server sends response settings data - RDP server version - Encryption method and level - Server certificate 13

  14. Protocol Challenges 14

  15. Protocol Challenges Encryption! No cookie == no identifiable packet data 15

  16. Protocol Challenges Data availability! Most forensically useful metadata is optional - Cookie - Client computer name 16

  17. Protocol Challenges Cookies! Length ranges from 9 to ~127 characters Introduces 'user collision' - Multiple users appear to be one user 15 chars: DOMAIN\samantha 09 chars: DOMAIN\sa 12 chars: DOMAIN\sally 09 chars: DOMAIN\sa 17

  18. Identifying RDP 18

  19. Identifying RDP In the raw 19

  20. Identifying RDP Detection strings 20

  21. Identifying RDP Detection strings++ 21

  22. Identifying RDP Detection strings++ 22

  23. Identifying RDP Detection strings++ 23

  24. Identifying RDP Detection strings++ 24

  25. Identifying RDP <= Bro 2.3 event connection_state_remove(c: connection) { if ( c$id$resp_p == 3389/tcp && c$conn$orig_bytes >= 1000 && c$conn$resp_bytes >= 1000 ) print "found RDP?"; } 25

  26. Identifying RDP <= Bro 2.3++ signature dpd_rdp_client { ip-proto == tcp # Client request payload /.*(Cookie: mstshash\=|Duca.*(rdpdr|rdpsnd|drdynvc|cliprdr))/ requires-reverse-signature dpd_rdp_server enable "rdp" } signature dpd_rdp_server { ip-proto == tcp payload /(.{5}\xd0|.*McDn)/ } (Actually the dpd.sig for RDP in Bro 2.4) 26

  27. Identifying RDP The Problem (until now) Network detection isn't useful Network detection doesn't scale Detecting RDP on the network wastes analyst time 27

  28. Identifying RDP Bro 2.4 cookie: A70067 keyboard_layout: English - United States client_build: RDP 5.1 client_hostname: ISD2-KM84178 desktop_width: 1152 desktop_height: 864 result: Success security_protocol: RDP encryption_level: High encryption_method: 128bit 28

  29. Identifying RDP Analyzer caveats It's not magic - Won't identify RDP over SSL - Won't identify RDP over SSH It's most useful when monitoring internal-to-internal sites "Success" != successful authentication - Still need to validate with non-network data 29

  30. RDP Hunting 30

  31. RDP Hunting A quick note on hunting ... Hunting is a proactive approach to identifying threats on the network It gives you the opportunity to identify new types or new variants of threats Many things affect your ability to hunt - Knowledge - Skillset - Toolset - Leadership 31

  32. RDP Hunting A Quicker Note on RDP Metadata You have to hunt through it - IOCs (IP addresses) won't help you - IDS alerts will waste your time 32

  33. RDP Hunting Bro Hunting Methods Stacking - Simple outlier analysis - Complex outlier analysis Tracking - Using inside knowledge to identify attacker activity Timelines - Monitoring activity across a distinct range of time 33

  34. RDP Hunting Simple Stacking Primary use: identify new users and computers in the network Identify new users in the network bro-cut cookie < rdp.log | sort | uniq -c | sort -n Identify new computers in the network bro-cut client_name < rdp.log | sort | uniq -c | sort –n 34

  35. RDP Hunting Complex Stacking Primary use: identify scanning and worms, compromised user accounts Identify users connecting to a high number of systems sourcetype=bro source=*rdp* cookie=* | stats dc(dest_ip) AS dc_dest_ip by cookie 35

  36. RDP Hunting Complex Stacking++ Identify multiple users on a single computer sourcetype=bro source=*rdp* client_name=* cookie=* | stats values(cookie) dc(cookie) AS dc_cookie by client_name | where dc_cookie > 1 36

  37. RDP Hunting Tracking Primary use: identify lateral movement Dependencies - Knowledge of network and organization - Accessible, organized data 37

  38. RDP Hunting Tracking++ Scenario - Sensor A monitors traffic between business units X and Y - Net block B belongs to business unit X - Net block C belongs to business unit Y - RDP between the two is uncommon - Business unit Y develops high-value projects 38

  39. RDP Hunting Tracking++ Identify users accessing abnormal sections of the network sourcetype=bro source=*rdp* cookie=* sensor=a ( tag::src_ip=nb_b tag::dest_ip=nb_c ) OR ( tag::src_ip=nb_c tag::dest_ip=nb_b ) | stats count by src_ip,dest_ip,cookie 39

  40. RDP Hunting Tracking++ Identify computers accessing abnormal sections of the network sourcetype=bro source=*rdp client_name=* sensor=a ( tag::src_ip=nb_b tag::dest_ip=nb_c ) OR ( tag::src_ip=nb_c tag::dest_ip=nb_b ) | stats count by src_ip,dest_ip,client_name 40

  41. RDP Hunting Timelines Primary use: identify anomalous access Effective use is dependent on how much data you have - Search all computers vs. single computer Identify access time by computer sourcetype=bro source=*rdp* client_name=* | timechart useother=F span=1hr count by client_name 41

  42. Case Studies 42

  43. Case Studies Scanning / Worms Fairly easy to identify when hunting – they’re noisy Found by stacking cookie X id.resp_h - Look for users to connect to a high number of systems Especially useful if you isolate events into periods of time - User A connected to N number of systems in T minutes 43

  44. Case Studies Scanning / Worms++ One week of RDP activity cookie uniq # id.resp_h rdp_logon_screen.nbin 1384 os_fingerprint_rdp.nbin 1375 Administr 253 30 a 25 Note: the search from slide 34 can identify this activity 44

  45. Case Studies Scanning / Worms++ One week of RDP activity cookie[count] threat rdp_logon_screen.nbin[1384] Nessus os_fingerprint_rdp.nbin[1375] Nessus Administr[253] Collision [30] ??? a[25] Morto worm 45

  46. Case Studies Remote Attacker Access Identifying inbound attacker access w/ RDP metadata is a difficult game to win Monitoring VPN nodes is the best chance to identify remote attackers Scenario - Single factor VPN - Dealing with potentially compromised user accounts 46

  47. Case Studies Remote Attacker Access++ Identified attacker connecting to the network via VPN Found by tracking inbound connections between 2:00 and 12:00 UTC #fields keyboard_type keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height Japanese English - United States RDP 7.1 <client_name> <client_dig_product_id > 1576 928 Japanese English - United States RDP 5.2 <client_name> (empty) 1576 928 Japanese English - United States RDP 5.2 <client_name> (empty) 1576 928 Japanese English - United States RDP 7.1 <client_name> <client_dig_product_id > 1576 928 47

  48. Case Studies Remote Attacker Access++ Couldn't rely on attacker always connecting from the same VPN node Could rely on client_name, desktop_width, and desktop_height remaining the same #fields keyboard_type keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height Japanese English - United States RDP 7.1 <client_name> <client_dig_product_id > 1576 928 Japanese English - United States RDP 5.2 <client_name> (empty) 1576 928 Japanese English - United States RDP 5.2 <client_name> (empty) 1576 928 Japanese English - United States RDP 7.1 <client_name> <client_dig_product_id > 1576 928 48

  49. Questions? 49

  50. References » https://msdn.microsoft.com/en-us/ library/Cc240452.aspx » https://msdn.microsoft.com/en-us/ library/cc240469.aspx » http://www.snakelegs.org/2011/02/06/ rdp-cookies-2/ 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

TABAKOV TROPHY HUNTING Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in Catalonia that the hunting area of El Vedat is situated, only 45mn of Barcelona. The territory extends on more than 3000 ha of

385 views • 10 slides
You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis Qi Wang , Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, Haifeng Chen NDSS 2020 Feb 26 th , 2020,

915 views • 25 slides
Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in

Riflescopes for Long-range Hunting March, 2020 LONG-RANGE HUNTING Rapidly gaining in popularity; Several Youtube channels (THLR.NO, EuLRH) have attracted a considerable number of followers; A riflescope is a must-have ; Often

649 views • 11 slides
Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting

Angled Spotting Scopes March, 2020 ANGLED SPOTTING SCOPES FOR HUNTING Appropriate for hunting in the mountains No need to overstretch the neck while using it Can be used without a tripod The user simply puts the scope on the top of

229 views • 9 slides
THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach &amp; 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

363 views • 32 slides
AHAB: Data-Driven Virtual Cluster Hunting Johannes Zerwas* Patrick Kalmbach* Carlo Fuerst Arne

AHAB: Data-Driven Virtual Cluster Hunting Johannes Zerwas* Patrick Kalmbach* Carlo Fuerst Arne

Chair of Communication Networks Departement of Electrical and Computer Engineering Technical University of Munich AHAB: Data-Driven Virtual Cluster Hunting Johannes Zerwas* Patrick Kalmbach* Carlo Fuerst Arne Ludwig Andreas Blenk* Wolfgang

384 views • 20 slides
Photons in LHC data @ 7 TeV Results from ATLAS and CMS Mathieu Aurousseau (LAPP) On behalf of

Photons in LHC data @ 7 TeV Results from ATLAS and CMS Mathieu Aurousseau (LAPP) On behalf of

Photons in LHC data @ 7 TeV Results from ATLAS and CMS Mathieu Aurousseau (LAPP) On behalf of the ATLAS and CMS Collaborations Higgs Hunting : Discussions on Tevatron and first LHC results 29-31 July 2010 Orsay, France Higgs Hunting 2010 1

539 views • 29 slides
Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt?

Squirrel Hunting for Beginners by John Martsh R-3 Program Manager Why Squirrel Hunt? Squirrels are hunted in the fall, when the weather isnt too cold or hot Not a lot of expensive gear/equipment required Hunting doesnt require

578 views • 26 slides
What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda Effective Threat Hunting? Current state of threat hunting programs Graph Theory Definition Origins Types Graph

1.69k views • 75 slides
Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior Researcher CERT Polska/NASK/ Warsaw University of Technology piotr.bialczak@cert.pl Twitter: @bialczakp 2 Malware hunting A mouse and cat game? 3

828 views • 28 slides
Establishing the Get Outdoors Hunting and Fishing License Package Nate Pamplin, Director of

Establishing the Get Outdoors Hunting and Fishing License Package Nate Pamplin, Director of

Establishing the Get Outdoors Hunting and Fishing License Package Nate Pamplin, Director of Budget and Government Affairs September 13, 2019 1 Customer Profiles WDFW sells 654,000 fishing licenses and 172,000 hunting licenses. Approx.

199 views • 8 slides
Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

1.07k views • 52 slides
Categorical quantum models and logics Chris Heunen 7 januari 2010 Welcome, thank you for coming.

Categorical quantum models and logics Chris Heunen 7 januari 2010 Welcome, thank you for coming.

Categorical quantum models and logics Chris Heunen 7 januari 2010 Welcome, thank you for coming. During the next hour I will defend my dissertation. Categorical quantum models and logics Chris Heunen 7 januari 2010 Such an official ceremony

834 views • 68 slides
The strength of the SCT criterion Silvia Steila joint work with Emanuele Frittaion and Keita

The strength of the SCT criterion Silvia Steila joint work with Emanuele Frittaion and Keita

The strength of the SCT criterion Silvia Steila joint work with Emanuele Frittaion and Keita Yokoyama University of Bern JAIST February 28th, 2017 A first informal question Assume that a child really likes biscuits, he has z -many biscuits.

610 views • 27 slides
Speak with Impact In depth Presentation Skills If you can unscramble these, they are your link

Speak with Impact In depth Presentation Skills If you can unscramble these, they are your link

Speak with Impact In depth Presentation Skills If you can unscramble these, they are your link to effective presentations GNINNALP CRAPTICE BILITYAREMOM Ways of Working Together Timekeeping Confidentiality Respect

412 views • 30 slides
Rewrite this sentence placing the adverbial at the end. In the afternoon, Thomas had to go to the

Rewrite this sentence placing the adverbial at the end. In the afternoon, Thomas had to go to the

GPS Starter: Work through bronze, silver, gold AND challenge Write Rewrite this sentence placing the adverbial at the end. In the afternoon, Thomas had to go to the doctors. __________________________________

369 views • 10 slides
Britain as an island nation TRINITY HOUSE // KEY STAGE 2 BRITAIN AS AN ISLAND NATION Starter

Britain as an island nation TRINITY HOUSE // KEY STAGE 2 BRITAIN AS AN ISLAND NATION Starter

Britain as an island nation TRINITY HOUSE // KEY STAGE 2 BRITAIN AS AN ISLAND NATION Starter Activity 1 Activity 2 Activity 3 Activity 4 Activity 5 TRINITY HOUSE // KEY STAGE 2 BRITAIN AS AN ISLAND NATION Starter Why

599 views • 39 slides
Hello! Denise Rushe Starling &amp; Company Servicing clients across creative, cultural, retail,

Hello! Denise Rushe Starling &amp; Company Servicing clients across creative, cultural, retail,

Hello! Denise Rushe Starling &amp; Company Servicing clients across creative, cultural, retail, hospitality and tourism sectors Mentor with LEO Sligo/Leitrim and Design and Crafts Council of Ireland @StarlingAndCo or @LadyDotty Starling &amp;

635 views • 27 slides
SPEAKER COMMITMENT BY MANDARIN CONDITIONAL CONNECTIVES: DISTRIBUTIONAL AND EXPERIMENTAL EVIDENCE

SPEAKER COMMITMENT BY MANDARIN CONDITIONAL CONNECTIVES: DISTRIBUTIONAL AND EXPERIMENTAL EVIDENCE

SPEAKER COMMITMENT BY MANDARIN CONDITIONAL CONNECTIVES: DISTRIBUTIONAL AND EXPERIMENTAL EVIDENCE 28-30.05.2020 The 21st Chinese Lexical Semantics Workshop (CLSW2020) at the City University of Hong Kong Mingya Liu, Humboldt University of Berlin

866 views • 37 slides
I T LOOKS LIKE A DUCK ... CASES OF IMPLICATION M ARTIN A HER M ATERIAL IMPLICATION F ALSE

I T LOOKS LIKE A DUCK ... CASES OF IMPLICATION M ARTIN A HER M ATERIAL IMPLICATION F ALSE

S OME FUNNY CASES OF IMPLICATION M ARTIN A HER M ATERIAL IMPLICATION F ALSE ANTECEDENT S OME FUNNY CASES OF IMPLICATION T RUE CONSEQUENT C ONTRAPOSITION C ONTRARIES S TRENGTHENING THE A NTECEDENT T RANSITIVE LUCK S PLITS R AMSEY K RATZER S

322 views • 29 slides

More recommend