Monitor RDP Attack with Azure Security Center and Azure Sentinel

by SecWriter · February 15, 2021

Roses Are Red, Violets are Blue, and If you think your RDP is secure, I’ve some ransomware for you.

There’s been a tremendous increase in cybercriminals attempting to perform attacks by exploiting remote login credentials over the last year. Many employees continue to work from home, and many common attacks against IaaS VMs in Azure are on the rise.

The story from some security reports and the first one according to ESET’s. The big jump in RDP attacks as hackers target staff working from home and RDP attacks increase by 768% between Q1 and Q4 last year (2020), fuelled by the shift to remote working Q4 2020 Threat Report.

In some cases, RDP ports are even misconfigured, providing attackers with even greater access to networks.

Either way, RDP attacks can be used to infiltrate networks to examine and steal sensitive information. At the same time, it can also be used to gain enough access to the web to deploy ransomware attacks.

The second one is based on Netscout researchers identifying more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organizations’ networks with traffic.

New research has found that cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks).

Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in a report published online this week.

Microsoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack Mitigation Recommendations – January 2021 | NETSCOUT

The third and main report is based on a Microsoft security report. In the Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually takes place for VMs that are exposing the RDP port (TCP 3389). Although RDP is the primary source, there is also brute-force against SSH (TCP 22).

Nowadays, with COVID-19, with more employees working from home more often, threat actors are taking advantage of the increase of management ports open, which includes RDP and SSH.

An RDP brute force attack can compromise users with weak passwords and without MFA enabled. Keep in mind that compromising a server via RDP brute force is just the initial foothold. Once the threat actors gain access to the target machine, they will continue conducting malicious activities, including coin mining and even ransomware attacks.

Post Contents Show

The Story of Azure Sentinel & Security Center

Security Center protects many cloud security aspects, such as CSPM, CWPP and provides useful information to Azure Sentinel.

Azure Sentinel and Azure Security Center

Cloud security posture management: Security Center provides you with a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using the Azure secure score. Security Center helps you identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps.

Cloud workload protection allows you to detect and prevent threats at the IaaSas and PaaS resources like Azure IoT and Azure App Service and on-premises virtual machines.

When it comes to cloud workload protection, the goal is to present the information to users within Security Center in an easy-to-consume manner so that you can address individual threats. Security Center is not intended for advanced SecOps hunting scenarios or to be a SIEM tool.

Security Center is one of the many sources of threat protection information that Azure Sentinel collects data from to create a view for the entire organization. Microsoft recommends that customers using Azure use Azure Security Center to threaten workloads such as VMs, SQL, Storage, IoT, etc.

Once the Security Center data is in Azure Sentinel, you can combine that data with other sources like firewalls, users, and devices, for proactive hunting and threat mitigation with advanced querying and the power of artificial intelligence.

The investigation between Azure Sentinel and Security Center is a good story because you can start the investigation process from Security Center and then continue with Azure Sentinel.

Security Center & Brute Force Attack

A list of prioritized security alerts is shown in Security Center, along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.

Microsoft security researchers are constantly analyzing emerging threats worldwide, including new attack patterns and trends seen across its consumer and enterprise products and online services.

As a result, Security Center can update its detection algorithms as new vulnerabilities and exploits are discovered and keep pace with evolving threats. Some of the threats type detection:

Brute force detection over network data uses machine-learning models that understand typical network traffic patterns for your applications, enable more effective detection of access attempts being executed by bad actors instead of legitimate users.

Brute force detection over endpoint data are based on machine logs analysis, and it enables differentiation between failed and successful attempts.

VMs communicating with malicious IPs compare network traffic to Microsoft global threat intelligence, discover machines that are compromised, and communicating with Command and Control servers and vice-versa.

Compromised VMs based on behavioral analysis of machine logs and correlation with other signals identifies anomalous events that are likely the results of machine compromise and exploitation.

Monitor RDP Attack

There are different ways to monitor RDP attacks with Azure Sentinel. You can install the Security agent (a dedicated agent on each VM) or collect the Security Center data.

Security Center Side

RDP Attack showed on the security center with the specific alert title based on the attack severity and provide you information about the attack itself, who initiates the attack, which accounts were part of the attack, and other information.

Azure Security Center Alert

Azure Sentinel Side

Azure Sentinel has a built-in data connector for Security Center so that each Security Center alert will be shown in Azure Sentinel.

TIP: Make sure that you’ve got the Analytic rule of Create incidents based on Azure Security Center alerts.

Azure Security Center alerts

Azure Sentinel Incident view shows the alert and provides more information, and from this point, you can drill down to the alert itself with the “View few details.”

Azure Security Center alerts

Azure Sentinel Hunting

Now that we know what we can do with Security Center, let’s deep dive and play with Azure Sentinel itself with the situation that we’ve got Security Event enabled for this specific Azure VM.

In this scenario, we query the event based on the event id below

4625(F) An account failed to log on. (Windows 10) – Windows security | Microsoft Docs

4624(S) An account was successfully logged on. (Windows 10) – Windows security | Microsoft Docs

Create Analytic Rule – Azure Sentinel can provide so many ways to identify RDP attacks, so let’s start and create few pleasant queries, and first thing first, create a simple Analytic rule.

Azure Sentinel RDP Attack

The KQL is based on the SecurityEvent table and contains extend for investigation.

SecurityEvent
| where (EventID == 4625 or EventID== 4624)
| project TimeGenerated, EventID , WorkstationName,Computer, Account , LogonTypeName , IpAddress
| extend AccountCustomEntity = Account
| extend IPCustomEntity = IpAddress

Investigation

This is nice, but I know there are additional evens on the Event Log viewer and even sub-events, so let’s grab more information with KQL.

Security Event ID 4625 can provide useful information, and any Brute-force attack contains a lot of failed logins. To identify how many records with Logon type, status, and account were part of this action, we can see the query below.

SecurityEvent
| where EventID == “4625”
| extend _Account = trim(@'[^\w]+’, Account)
| where SubStatus =~ “0xc000006A”
| project TimeGenerated,
Computer,
_Account,
LogonType,
LogonProcessName,
SubStatus,
Activity

We can count all of these attack activities by the query below.

SecurityEvent
| where EventID == “4625”
| where AccountType == “User”
| extend _Account = trim(@'[^\w]+’, Account)
| summarize count() by _Account
| sort by count_ desc

With render piechart, the report will look. fine

But hold on, we’ve got a winner… check with the same query but for event id 4624 with the same account, and boom, someone is on your VM.

TIP: In the RDP event, the Logon Type is our best friend, so find the useful one.

Wait, maybe if you want to take it one step ahead, you query the event id 4776 and look if the domain controller attempted to validate the credentials for an account.

More ways to identify an RDP attack with dedicated additional event ids and more options in Azure Sentinel at the next post.

More blog-post about Azure Sentinel

Monitor RDP Attack with Azure Security Center and Azure Sentinel

by SecWriter · February 15, 2021

Roses Are Red, Violets are Blue, and If you think your RDP is secure, I’ve some ransomware for you.
There’s been a tremendous increase in cybercriminals attempting to perform attacks by exploiting remote login credentials over the last year. Many employees continue to work from home, and many common attacks against IaaS VMs in Azure are on the rise.
The story from some security reports and the first one according to ESET’s. The big jump in RDP attacks as hackers target staff working from home and RDP attacks increase by 768% between Q1 and Q4 last year (2020), fuelled by the shift to remote working Q4 2020 Threat Report.
In some cases, RDP ports are even misconfigured, providing attackers with even greater access to networks.
Either way, RDP attacks can be used to infiltrate networks to examine and steal sensitive information. At the same time, it can also be used to gain enough access to the web to deploy ransomware attacks.
The second one is based on Netscout researchers identifying more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organizations’ networks with traffic.
New research has found that cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks).
Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in a report published online this week.
Microsoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack Mitigation Recommendations – January 2021 | NETSCOUT
The third and main report is based on a Microsoft security report. In the Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually takes place for VMs that are exposing the RDP port (TCP 3389). Although RDP is the primary source, there is also brute-force against SSH (TCP 22).
Nowadays, with COVID-19, with more employees working from home more often, threat actors are taking advantage of the increase of management ports open, which includes RDP and SSH.
An RDP brute force attack can compromise users with weak passwords and without MFA enabled. Keep in mind that compromising a server via RDP brute force is just the initial foothold. Once the threat actors gain access to the target machine, they will continue conducting malicious activities, including coin mining and even ransomware attacks.

The Story of Azure Sentinel & Security Center

Azure Security Center provides unified security management by identifying and fixing misconfigurations and providing visibility into threats to remediate them quickly. Security Center has grown rapidly in usage and capabilities and allowed us to pilot many new solutions, including a SIEM like functionality called investigations.
Security Center protects many cloud security aspects, such as CSPM, CWPP and provides useful information to Azure Sentinel.
Azure Sentinel and Azure Security Center
Cloud security posture management: Security Center provides you with a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using the Azure secure score. Security Center helps you identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps.
Cloud workload protection allows you to detect and prevent threats at the IaaSas and PaaS resources like Azure IoT and Azure App Service and on-premises virtual machines.
When it comes to cloud workload protection, the goal is to present the information to users within Security Center in an easy-to-consume manner so that you can address individual threats. Security Center is not intended for advanced SecOps hunting scenarios or to be a SIEM tool.
Security Center is one of the many sources of threat protection information that Azure Sentinel collects data from to create a view for the entire organization. Microsoft recommends that customers using Azure use Azure Security Center to threaten workloads such as VMs, SQL, Storage, IoT, etc.
Once the Security Center data is in Azure Sentinel, you can combine that data with other sources like firewalls, users, and devices, for proactive hunting and threat mitigation with advanced querying and the power of artificial intelligence.
The investigation between Azure Sentinel and Security Center is a good story because you can start the investigation process from Security Center and then continue with Azure Sentinel.

Security Center & Brute Force Attack

Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, like firewall and endpoint protection solutions, to detect real threats and reduce false positives.
A list of prioritized security alerts is shown in Security Center, along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.
Microsoft security researchers are constantly analyzing emerging threats worldwide, including new attack patterns and trends seen across its consumer and enterprise products and online services.
As a result, Security Center can update its detection algorithms as new vulnerabilities and exploits are discovered and keep pace with evolving threats. Some of the threats type detection:
Brute force detection over network data uses machine-learning models that understand typical network traffic patterns for your applications, enable more effective detection of access attempts being executed by bad actors instead of legitimate users.
Brute force detection over endpoint data are based on machine logs analysis, and it enables differentiation between failed and successful attempts.
VMs communicating with malicious IPs compare network traffic to Microsoft global threat intelligence, discover machines that are compromised, and communicating with Command and Control servers and vice-versa.
Compromised VMs based on behavioral analysis of machine logs and correlation with other signals identifies anomalous events that are likely the results of machine compromise and exploitation.

Monitor RDP Attack

Once all the requirements and integration between Azure Sentinel and Azure Security Center are connected and configured, you can know better who is touch your resources on Azure and for this scenario on your VM.
There are different ways to monitor RDP attacks with Azure Sentinel. You can install the Security agent (a dedicated agent on each VM) or collect the Security Center data.