{"id":24195,"date":"2024-03-20T11:21:54","date_gmt":"2024-03-20T19:21:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17925\/"},"modified":"2024-03-20T11:21:54","modified_gmt":"2024-03-20T19:21:54","slug":"news-17925","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17925\/","title":{"rendered":"Remote Desktop Protocol: How to Use Time Zone Bias"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Wed, 20 Mar 2024 16:13:08 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\" width=\"100%\" height=\"420\">\n<p><span data-contrast=\"auto\">Most defenders are familiar with how to find and look for suspicious RDP lateral movement, whether that means looking based on known-compromised users or on an alert from antimalware or EDR protections associated with a specific user. You\u2019re starting to pivot from the initial notice that something\u2019s wrong; now what?<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"100%\" height=\"420\" src=\"https:\/\/www.youtube.com\/embed\/gaq46NUkOyA?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\" frameborder=\"0\"><\/iframe><\/span><\/p>\n<p><span data-contrast=\"auto\">Examining the logs to check account-activity timestamps is a typical way to spot odd behavior \u2013 for example, James-from-the-head-office connecting to a domain controller at 3 a.m., when he typically only accesses the Sage servers, and those only during business hours. However, there\u2019s more to know about logins \u2013 not just when the activity occurred, but the time zone from which the activity originated. This is known as the bias, and it\u2019s captured on modern (Windows 10 \/ Server 2016 and later) versions of Microsoft\u2019s operating system. Event ID 104 is available in the Microsoft Windows Remote Desktop Services RDP Core TS Operational event log.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">What does the defender see?<\/span><\/b><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">As one might expect from the name, this event logs the time-zone bias from UTC of the machine making the connection. Since you probably already know the time zone(s) your users would normally be logging in from, seeing deviations from that zone can help you identify suspicious RDP connections, simply because they\u2019re not coming from the part of the planet they should be.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Taking James as our example again, let\u2019s say James is based in London and that you\u2019re investigating suspicious activity in the early months of the year. In January or February, the time-zone bias for James would be zero hours UTC, so if James is using RDP to connect to the network for whatever reason, the client time bias you should see on his logins is [0]. If, suddenly, you start seeing client time zone biases of [-8], or [6], or other values that differ from the norm for James, that could help you spot potentially suspicious RDP connections, or at minimum more questions worth asking. (Is he traveling? Was his machine stolen?)<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Let&#8217;s take an example where a user&#8217;s credentials have been phished, the attacker&#8217;s logged into the VPN &#8212; because you don&#8217;t have MFA enabled, though you know you should &#8212; and they start accessing devices using RDP. You would then start to see the time zone of that attacker machine for those access events.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">There\u2019s no single query that magically delivers every answer, and this one\u2019s no exception. For instance, attackers often host their machines hosted on various machines, located in various time zones in which they may or may not be physically located. Still, they\u2019re likely to differ from the normal time zones for <\/span><i><span data-contrast=\"auto\">your<\/span><\/i><span data-contrast=\"auto\"> users.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Another potential weakness lies in false positives; if your organization operates in a way that makes it hard to discern what a \u201cnormal\u201d time zone looks like, it may be harder for you to pinpoint the difference between signal and noise. Finally, false negatives are a possibility; the event records the time zone on the attacker\u2019s machine, so the attacker can undermine this data by changing the time zone on that machine. That said, Event 104 is a beneficial event to keep watch over \u2013 one more tool in your defense toolkit.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Timezone bias and Live Discover<\/span><\/b><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Event 104 is of course available to anyone examining Microsoft systems of the supported vintages (again, Windows 10 \/ Server 2016 and later). The information in the final section of this post is provided for those readers using Sophos\u2019 Live Discover to get the job done. (However, we\u2019ll publish the query we\u2019re about to discuss on our Github, where anyone can pick up a copy.) We also <\/span><a href=\"https:\/\/youtu.be\/gaq46NUkOyA\"><span data-contrast=\"none\">demonstrate<\/span><\/a><span data-contrast=\"auto\"> this query and its results on our YouTube channel.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To execute an OS query and return timezone bias information in Live Discover, use the following:<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"auto\">SELECT<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 strftime('%Y-%m-%dT%H:%M:%SZ',datetime) AS Datetime,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 source,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 eventid,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 JSON_EXTRACT(data, '$.EventData.TimezoneBiasHour') AS TimezoneBiasHour<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">FROM sophos_windows_events<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">WHERE<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 source = 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS\/Operational'\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 AND eventid IN (104)<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"auto\">The output of the query looks like the results shown in Figure 1:<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-954248\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-01.png\" alt=\"Query output showing a time-zone discrepancy between two events\" width=\"966\" height=\"86\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-01.png 1846w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-01.png?resize=300,26 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-01.png?resize=768,68 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-01.png?resize=1024,90 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-01.png?resize=1536,136 1536w\" sizes=\"auto, (max-width: 966px) 100vw, 966px\" \/><\/a><\/p>\n<p><i><span data-contrast=\"auto\">Figure 1: Either the user has discovered a way to teleport themself and their computer across eight time zones in 90 seconds, or something is wrong here<\/span><\/i><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">On the left in the image above, we have the endpoint name \u2013 the same for both entries in this two-event log. We see the date\/time information in UTC, which shows that the two events occurred about a minute and a half apart. The source is where we found this event, which is shown as 104 in the next column. And on the right, we see the result \u2013 the first event originating in UTC 0, the second UTC +8, which is the area indicated in the map in Figure 2.<\/span><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-954247\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-02.png\" alt=\"A map showing the area of the globe corresponding to UTC +8; it includes western Australia, part of Indonesia, and much of China\" width=\"640\" height=\"335\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-02.png 1204w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-02.png?resize=300,157 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-02.png?resize=768,402 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-4-figure-02.png?resize=1024,536 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><i><span data-contrast=\"auto\">Figure 2: UTC +8 is a fascinating slice of the planet, but it\u2019s definitely not near James in London. (Map image courtesy nationsgeo.com)<\/span><\/i><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">We recommend executing this query across all devices within your environment \u2013 look around and identify if there are timezone bias entries in the RDP Core TS Operational event log that differ from what you would typically expect.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><strong>Remote Desktop Protocol: The Series<\/strong><\/p>\n<p>Part 1: Remote Desktop Protocol: Introduction (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-the-series\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/dmzfBSs02lA\">video<\/a>)<br \/> Part 2: Remote Desktop Protocol: Exposed RDP (is dangerous) (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-exposed-rdp-is-dangerous\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/XyWnKaLwmkQ\">video<\/a>)<br \/> Part 3: RDP: Queries for Investigation (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-queries-for-investigation\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/-Vo_Gok59WE\">video<\/a>)<br \/> Part 4: RDP Time Zone Bias ([you are here], <a href=\"https:\/\/youtu.be\/gaq46NUkOyA\">video<\/a>)<br \/> Part 5: Executing the External RDP Query (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-executing-the-external-rdp-query\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/hGKvzkb47JA\">video<\/a>)<br \/> Part 6: Executing the 4624_4625 Login Query (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-executing-the-4624_4625-login-query\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/YpvAnSEk8HU\">video<\/a>)<br \/> GitHub query repository: <a href=\"https:\/\/github.com\/SophosRapidResponse\/OSQuery\/tree\/main\/Artefacts\/Logins\">SophosRapidResponse\/OSQuery<br \/> <\/a>Transcript repository: <a href=\"https:\/\/github.com\/sophoslabs\/video-transcripts\">sophoslabs\/video-transcripts<br \/> <\/a>YouTube playlist: <a href=\"https:\/\/www.youtube.com\/playlist?list=PLW9m2f_dtUOVVita1zUhzv4T-VSzxUAUZ\">Remote Desktop Protocol: The Series<\/a><\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-how-to-use-time-zone-bias\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/rdp-hero-04.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Wed, 20 Mar 2024 16:13:08 +0000<\/strong><\/p>\n<p>Where in the world is your attacker? Presenting a less-known but useful event to look for in your logs<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[12657,27362,25038,18324,24552,27030],"class_list":["post-24195","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-incident-response","tag-incident-response-tools","tag-mdr","tag-rdp","tag-security-operations","tag-sophos-x-ops"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24195"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24195\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24195"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}