Monitor RDP Attack with Microsoft Sentinel
Roses Are Red, Violets are Blue, and If you think your RDP is secure, I’ve some ransomware.
There’s been a tremendous increase in cybercriminals attempting to perform attacks by exploiting remote login credentials over the last year. Many employees continue to work from home, and many common attacks against IaaS VMs in Azure are on the rise.
The story is from some security reports and the first one according to ESETs. The big jump in RDP attacks as hackers target staff working from home and RDP attacks increased by 768% between Q1 and Q4 last year (2020), fuelled by the shift to remote working Q4 2020 Threat Report.
In some cases, RDP ports are misconfigured, providing attackers with even greater access to networks.
Either way, RDP attacks can be used to infiltrate networks to examine and steal sensitive information. At the same time, it can also be used to gain enough access to the web to deploy ransomware attacks.
The second one is based on Netscout researchers identifying more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organizations’ networks with traffic. New research has found that cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks).
Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in a report published online this week.
The third and main report is based on a Microsoft security report. In the Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually takes place for VMs exposing the RDP port (TCP 3389). Although RDP is the primary source, there is also a brute force against SSH (TCP 22).
Nowadays, more employees are working from home more often, and threat actors are taking advantage of increased management ports open, including RDP and SSH.
An RDP brute force attack can compromise users with weak passwords without MFA enabled. Keep in mind that compromising a server via RDP brute force is just the initial foothold. Once the threat actors gain access to the target machine, they will continue conducting malicious activities, including coin mining and ransomware attacks.
The Story of Microsoft Sentinel & Defender
Defender for Cloud provides unified security management by identifying and fixing misconfigurations and giving visibility into threats to remediate them quickly. Defender for Cloud has grown rapidly in usage and capabilities and allowed us to pilot many new solutions, including a SIEM-like functionality called investigations.
Defender for Cloud protects many cloud security aspects, such as CSPM and CWPP, and provides helpful information to Microsoft Sentinel.
Cloud security posture management: Defender for Cloud provides you with a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using the Azure secure score. Defender for Cloud helps you identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps.
Cloud workload protection allows you to detect and prevent threats at the IaaSas and PaaS resources like Azure IoT and Azure App Service and on-premises virtual machines.
When it comes to cloud workload protection, the goal is to present the information to users within Defender for Cloud in an easy-to-consume manner so that you can address individual threats. Defender for Cloud is not intended for advanced SecOps hunting scenarios or to be a SIEM tool.
Once the Defender for Cloud data is in Microsft Sentinel, you can combine that data with other sources like firewalls, users, and devices, for proactive hunting and threat mitigation with advanced querying and the power of artificial intelligence.
The investigation between Microsoft Sentinel and Defender for Cloud is a good story because you can start the investigation process from Defender for Cloud and continue with Microsoft Sentinel.
Brute Force Attack & MDC
Defender for Cloud automatically collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, like firewall and endpoint protection solutions, to detect real threats and reduce false positives.
A list of prioritized security alerts is shown in Defender for Cloud, along with the information you need to quickly investigate the problem and recommendations for how to remediate an attack.
Microsoft security researchers constantly analyze emerging threats worldwide, including new attack patterns and trends across its consumer and enterprise products and online services.
As a result, Defender for Cloud can update its detection algorithms as new vulnerabilities and exploits are discovered and keep pace with evolving threats. Some of the threats type detection:
Brute force detection over network data uses machine-learning models that understand typical network traffic patterns for your applications and enable more effective detection of access attempts executed by bad actors instead of legitimate users.
Brute force detection over endpoint data is based on machine logs analysis, and it enables differentiation between failed and successful attempts.
VMs communicating with malicious IPs compare network traffic to Microsoft global threat intelligence, discover compromised machines, and communicate with Command and Control servers and vice-versa.
Compromised VMs based on behavioral analysis of machine logs and correlation with other signals identifies anomalous events that are likely the results of machine compromise and exploitation.
Monitor RDP Attack
Once all the requirements and integration between Microsoft Sentinel and Defender for Cloud are connected and configured, you can know better who is touching your resources on Azure and, for this scenario, on your VM.
There are different ways to monitor RDP attacks with Microsoft Sentinel. You can install the Security agent (a dedicated agent on each VM) or collect the Defender for Cloud data.
MDC Story
Once an RDP attack initiates on your Azure VM, you will receive an alert from Defender for Cloud, and then your other alert on Microsoft Sentinel will provide more information. At Defender for Cloud, you don’t need to create or configure any actions.
RDP Attack showed on the Defender for Cloud with the specific alert title based on the attack severity and provides you information about the attack itself, who initiated the attack, which accounts were part of the attack, and other information.
Microsoft Sentinel Side
Microsoft Sentinel provides a different and unique story for every kind of attack, and of course, for RDP attacks. If Defender for Cloud is connected to Microsoft Sentinel, the alert would be based on the Defender for Cloudalerts Data Connector.
Microsoft Sentinel has a built-in data connector for Defender for Cloud so that each Defender for Cloud alert will be shown in Microsoft Sentinel.
TIP: Make sure that you’ve got the Analytic rule of creating incidents based on Defender for Cloud alerts.
Microsoft Sentinel Incident view shows the alert and provides more information, and from this point, you can drill down to the alert itself with the “View few details.”
Hunting
Now that we know what we can do with Defender for Cloud, let’s deep dive and play with Microsoft Sentinel itself with the situation that we’ve got Security Event enabled for this specific Azure VM.
In this scenario, we query the event based on the event id below
4625(F) An account failed to log on. (Windows 10) – Windows security | Microsoft Docs
4624(S) An account was successfully logged on. (Windows 10) – Windows security | Microsoft Docs
Create Analytic Rule – Microsoft Sentinel can provide many ways to identify RDP attacks, so let’s start and create a few pleasant queries. First, create a simple Analytic rule.
The KQL is based on the SecurityEvent table and contains extend for investigation.
SecurityEvent
| where (EventID == 4625 or EventID== 4624)
| project TimeGenerated, EventID , WorkstationName,Computer, Account , LogonTypeName , IpAddress
| extend AccountCustomEntity = Account
| extend IPCustomEntity = IpAddress
On the Investigation page, you can investigate all entities in this game: IP addresses, accounts, etc. Of course, each of these entities can also explore, and you can correlate the information to know if it is a prevalent attack and if you’ve got another device on this game.
This is nice, but I know there are additional evens on the Event Log viewer and even sub-events, so let’s grab more information with KQL.
Security Event ID 4625 can provide helpful information, and any Brute-force attack contains a lot of failed logins. We can see the query below to identify how many records with Logon type, status, and account were part of this action.
SecurityEvent
| where EventID == “4625”
| extend _Account = trim(@'[^\w]+’, Account)
| where SubStatus =~ “0xc000006A”
| project TimeGenerated,
Computer,
_Account,
LogonType,
LogonProcessName,
SubStatus,
Activity
We can count all of these attack activities by the query below.
SecurityEvent
| where EventID == “4625”
| where AccountType == “User”
| extend _Account = trim(@'[^\w]+’, Account)
| summarize count() by _Account
| sort by count_ desc
With rendered piechart, the report will look better.
But hold on, we’ve got a winner… check with the same query, but for event id 4624 with the same account, and boom, someone is on your VM.
TIP: In the RDP event, the Logon Type is our best friend, so find the useful one.
Wait, maybe if you want to take it one step ahead, you query the event id 4776 and look if the domain controller attempted to validate the credentials for an account.
There are more ways to identify an RDP attack with dedicated additional event ids and more options in Microsoft Sentinel in the next post.
