Monitor RDP Attack with Azure Security Center and Azure Sentinel
Roses Are Red, Violets are Blue, and If you think your RDP is secure, I’ve some ransomware for you.
There’s been a tremendous increase in cybercriminals attempting to perform attacks by exploiting remote login credentials over the last year. Many employees continue to work from home, and many common attacks against IaaS VMs in Azure are on the rise.
The story from some security reports and the first one according to ESET’s. The big jump in RDP attacks as hackers target staff working from home and RDP attacks increase by 768% between Q1 and Q4 last year (2020), fuelled by the shift to remote working Q4 2020 Threat Report.
In some cases, RDP ports are even misconfigured, providing attackers with even greater access to networks.
Either way, RDP attacks can be used to infiltrate networks to examine and steal sensitive information. At the same time, it can also be used to gain enough access to the web to deploy ransomware attacks.
The second one is based on Netscout researchers identifying more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organizations’ networks with traffic.
New research has found that cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks).
Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in a report published online this week.
The third and main report is based on a Microsoft security report. In the Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually takes place for VMs that are exposing the RDP port (TCP 3389). Although RDP is the primary source, there is also brute-force against SSH (TCP 22).
Nowadays, with COVID-19, with more employees working from home more often, threat actors are taking advantage of the increase of management ports open, which includes RDP and SSH.
An RDP brute force attack can compromise users with weak passwords and without MFA enabled. Keep in mind that compromising a server via RDP brute force is just the initial foothold. Once the threat actors gain access to the target machine, they will continue conducting malicious activities, including coin mining and even ransomware attacks.
The Story of Azure Sentinel & Security Center
Azure Security Center provides unified security management by identifying and fixing misconfigurations and providing visibility into threats to remediate them quickly. Security Center has grown rapidly in usage and capabilities and allowed us to pilot many new solutions, including a SIEM like functionality called investigations.
Security Center protects many cloud security aspects, such as CSPM, CWPP and provides useful information to Azure Sentinel.
Cloud security posture management: Security Center provides you with a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using the Azure secure score. Security Center helps you identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps.
Cloud workload protection allows you to detect and prevent threats at the IaaSas and PaaS resources like Azure IoT and Azure App Service and on-premises virtual machines.
When it comes to cloud workload protection, the goal is to present the information to users within Security Center in an easy-to-consume manner so that you can address individual threats. Security Center is not intended for advanced SecOps hunting scenarios or to be a SIEM tool.
Security Center is one of the many sources of threat protection information that Azure Sentinel collects data from to create a view for the entire organization. Microsoft recommends that customers using Azure use Azure Security Center to threaten workloads such as VMs, SQL, Storage, IoT, etc.
Once the Security Center data is in Azure Sentinel, you can combine that data with other sources like firewalls, users, and devices, for proactive hunting and threat mitigation with advanced querying and the power of artificial intelligence.
The investigation between Azure Sentinel and Security Center is a good story because you can start the investigation process from Security Center and then continue with Azure Sentinel.
Security Center & Brute Force Attack
Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, like firewall and endpoint protection solutions, to detect real threats and reduce false positives.
A list of prioritized security alerts is shown in Security Center, along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.
Microsoft security researchers are constantly analyzing emerging threats worldwide, including new attack patterns and trends seen across its consumer and enterprise products and online services.
As a result, Security Center can update its detection algorithms as new vulnerabilities and exploits are discovered and keep pace with evolving threats. Some of the threats type detection:
Brute force detection over network data uses machine-learning models that understand typical network traffic patterns for your applications, enable more effective detection of access attempts being executed by bad actors instead of legitimate users.
Brute force detection over endpoint data are based on machine logs analysis, and it enables differentiation between failed and successful attempts.
VMs communicating with malicious IPs compare network traffic to Microsoft global threat intelligence, discover machines that are compromised, and communicating with Command and Control servers and vice-versa.
Compromised VMs based on behavioral analysis of machine logs and correlation with other signals identifies anomalous events that are likely the results of machine compromise and exploitation.
Monitor RDP Attack
Once all the requirements and integration between Azure Sentinel and Azure Security Center are connected and configured, you can know better who is touch your resources on Azure and for this scenario on your VM.
There are different ways to monitor RDP attacks with Azure Sentinel. You can install the Security agent (a dedicated agent on each VM) or collect the Security Center data.
Security Center Side
Once an RDP attack initiates on your Azure VM, you will receive an alert from Security Center, and then your other alert on Azure Sentinel will provide more information. At Security Center, you don’t need to create or configure any actions.
RDP Attack showed on the security center with the specific alert title based on the attack severity and provide you information about the attack itself, who initiates the attack, which accounts were part of the attack, and other information.
Azure Sentinel Side
Azure Sentinel provides an additional and unique story for every kind of attack, and of course, for RDP attack. If Security Center is connected to Azure Sentinel, the alert would be based on the Azure Security Center alerts Data Connector.
Azure Sentinel has a built-in data connector for Security Center so that each Security Center alert will be shown in Azure Sentinel.
TIP: Make sure that you’ve got the Analytic rule of Create incidents based on Azure Security Center alerts.
Azure Sentinel Incident view shows the alert and provides more information, and from this point, you can drill down to the alert itself with the “View few details.”
Azure Sentinel Hunting
Now that we know what we can do with Security Center, let’s deep dive and play with Azure Sentinel itself with the situation that we’ve got Security Event enabled for this specific Azure VM.
In this scenario, we query the event based on the event id below
Create Analytic Rule – Azure Sentinel can provide so many ways to identify RDP attacks, so let’s start and create few pleasant queries, and first thing first, create a simple Analytic rule.
The KQL is based on the SecurityEvent table and contains extend for investigation.
| where (EventID == 4625 or EventID== 4624)
| project TimeGenerated, EventID , WorkstationName,Computer, Account , LogonTypeName , IpAddress
| extend AccountCustomEntity = Account
| extend IPCustomEntity = IpAddress
On the Investigation page, you can investigate all entities in this game: IP addresses, accounts, etc. Of course, each one of these entities can explore, too, and you can correlate the information to know if it is a prevalent attack and if you’ve got another device on this game.
This is nice, but I know there are additional evens on the Event Log viewer and even sub-events, so let’s grab more information with KQL.
Security Event ID 4625 can provide useful information, and any Brute-force attack contains a lot of failed logins. To identify how many records with Logon type, status, and account were part of this action, we can see the query below.
| where EventID == “4625”
| extend _Account = trim(@'[^\w]+’, Account)
| where SubStatus =~ “0xc000006A”
| project TimeGenerated,
We can count all of these attack activities by the query below.
| where EventID == “4625”
| where AccountType == “User”
| extend _Account = trim(@'[^\w]+’, Account)
| summarize count() by _Account
| sort by count_ desc
With render piechart, the report will look. fine
But hold on, we’ve got a winner… check with the same query but for event id 4624 with the same account, and boom, someone is on your VM.
TIP: In the RDP event, the Logon Type is our best friend, so find the useful one.
Wait, maybe if you want to take it one step ahead, you query the event id 4776 and look if the domain controller attempted to validate the credentials for an account.
More ways to identify an RDP attack with dedicated additional event ids and more options in Azure Sentinel at the next post.
More blog-post about Azure Sentinel