{"id":24198,"date":"2024-03-20T11:23:02","date_gmt":"2024-03-20T19:23:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17928\/"},"modified":"2024-03-20T11:23:02","modified_gmt":"2024-03-20T19:23:02","slug":"news-17928","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17928\/","title":{"rendered":"Remote Desktop Protocol: The Series"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Wed, 20 Mar 2024 16:18:21 +0000<\/strong><\/p>\n

\n

Remote Desktop Protocol (RDP) was developed by Microsoft to allow users, administrators, and others to connect to remote computers over a network connection using a handy graphical user interface (GUI). The tools required for this come as standard on Microsoft Windows; to initiate and set up an RDP connection, all the tools required to do that are present by default. This is why RDP is used extensively throughout networks by users and administrators to access remote machines.<\/span>\u00a0<\/span><\/p>\n

Unfortunately, it’s also commonly abused by ransomware groups \u2013 so commonly, in fact, that in our regular Active Adversary Reports our editors are forced to treat RDP differently in graphics so other findings are even visible. And RDP abuse is on the rise, as we see in Figure 1 — numbers from the past few years of incident-response data as collected by the Active Adversary Report team. In the edition of the report we\u2019ll be releasing next month, you\u2019ll see that RDP has now cracked the 90 percent mark \u2013 that is, nine out of ten IR cases include RDP abuse.<\/span>\u00a0<\/span><\/p>\n

\"A<\/a><\/p>\n

Figure 1: A first look at the full Active Adversary dataset from 2023 shows that RDP abuse is getting worse<\/span><\/i>\u00a0<\/span><\/p>\n

Today, to provide context and advice for administrators and responders looking to deal with RDP, we\u2019re publishing an entire package of resources \u2013 videos, companion articles with additional information, and a constellation of additional scripts and information on our GitHub repository. We\u2019re doing this both to share our Active Adversary team\u2019s research beyond the usual long-form reports we issue, and to provide what we hope is a useful set of resources for handling one of infosec\u2019s more annoying chronic ailments. <\/span>\u00a0<\/span><\/p>\n

From an attacker\u2019s point of view, targeting RDP is a natural choice. Most significantly, it\u2019s a Microsoft-provided tool (so, a living-off-the-land binary, or LOLBin) that blends in with typical user and administrative behavior. Its usage alone isn\u2019t apt to draw attention if no one\u2019s keeping an eye out for it, and an attacker need not bring in additional tools that may be detected by EDR or other anti-intrusion tools. RDP also has a relatively pleasant graphical user interface that lowers the skill barrier for attackers to browse files for exfiltration, and to install and use various applications.\u00a0<\/span>\u00a0<\/span><\/p>\n

Attackers also know that RDP is commonly misconfigured or misused within an environment, both on servers and occasionally on endpoints themselves. The next article in this RDP collection looks at just how common such exposure is, and whether measures such as switching off RDP\u2019s usual 3389 port makes a difference. (Spoiler: No.)\u00a0<\/span>\u00a0<\/span><\/p>\n

Rounding out the dismal RDP picture, we see self-owns such as lack of segregation, use of weak credentials, disabling (by administrators) of potential protections such as <\/span>NLA (network-level authentication)<\/span><\/a>, and flagrant disregard for best practices such as least privilege. On the brighter side, there are useful, sturdy queries that can give great insight into precisely how RDP is in use on your network\u2026 if you know where to look.<\/span>\u00a0<\/span><\/p>\n

So, to provide context and advice for administrators and responders looking to deal with RDP, we\u2019re starting with an entire package of resources \u2013 six videos, six companion articles with additional information, and a constellation of additional scripts and information on our GitHub \u2013 with more to be added over time as events dictate.\u00a0<\/span>\u00a0<\/span><\/p>\n