Date post: | 15-Jul-2015 |
Category: |
Technology |
Upload: | josh-liburdi |
View: | 1,448 times |
Download: | 2 times |
Background and contact info
2015 CrowdStrike, Inc. All rights reserved. 2
•Two years experience using Bro every day in large and small
enterprise production environments
– Environments range from two to 400+ NSM sensors
•Focus on scalable threat detection scripts and core extensions
•Contact details
– @jshlbrd
CrowdStrike + Bro
2015 CrowdStrike, Inc. All rights reserved. 3
•Leveraged by the CrowdStrike Services team
– Reactive: Incident response
– Proactive: Adversary assessments
•Built for incident response
– CrowdStrike Intelligence Bro Intel framework
– Signature-free intrusion detection scripts
• Adversary TTPs (Hurricane Panda’s rogue DNS), targeted malware (PlugX C2)
– Customized core, framework, and logging extensions
•PS: we’re recruiting
Why analyze RDP?
2015 CrowdStrike, Inc. All rights reserved. 4
•Significant part of enterprise network activity
– Analysis allows users to gain deeper insight into network activity
•Commonly utilized by attackers to move laterally throughout
compromised networks
– Other commonly utilized protocol is SMB
• “But isn’t RDP encrypted?”
– It is, but useful data can still be collected
Analyzing RDP via conn.log
2015 CrowdStrike, Inc. All rights reserved. 5
•Multiple assumptions required
•No pcap means no validation
event connection_state_remove(c: connection)
{
if ( c$id$resp_p == 3389/tcp
&& /D.*d/ in c$history
&& c$conn$orig_bytes >= 1000
&& c$conn$resp_bytes >= 1000 )
print "found RDP?";
}
Analyzer use and requirements
2015 CrowdStrike, Inc. All rights reserved. 6
•Primary use: track compromised user accounts during IR
– Monitor attacker movement in compromised networks
•Secondary use: identify anomalous access
– Monitoring RDP activity over extended periods of time may reveal anomalous,
unauthorized activity
•Primary requirements
– Detect RDP on non-standard ports
– Log RDP usernames
– Confirm if an RDP connection attempt was successful
RDP connection sequence
2015 CrowdStrike, Inc. All rights reserved. 7
•Connection sequence is made up of 10 phases
•Analyzer inspects first two phases (initiation and basic settings exch.)
– Lots of useful data in these two phases
– More phases could be analyzed if connection is not encrypted (but most are)
Analyzer functionality
2015 CrowdStrike, Inc. All rights reserved. 8
•Adds RDP as a service to conn.log (DPD)
•Detects RDP on non-standard ports (DPD)
•Logs key RDP connection sequence data to rdp.log
– Cookie (typically a username)
– Client hostname
– GCC result
•Accurately parses first two connection sequences
Analyzer output – rdp.log
2015 CrowdStrike, Inc. All rights reserved. 9
Fields Values
cookie A70067
keyboard_layout English - United States
client_build RDP 5.1
client_hostname ISD2-KM84178
client_product_id 55274-OEM-0011903-
00107
result Success
encryption_level High
encryption_method 128bit
Analyzer in use
2015 CrowdStrike, Inc. All rights reserved. 10
•Running in 9 different production environments (~1G links)
•Achieves original requirements and more
– Confirm RDP connection attempts
– Track compromised user accounts (RDP cookie)
– Baseline activity and identify anomalous use based on cookie, hostname, and
product_id
– Identify non-Windows / non-standard RDP clients
• keyboard_layout and client_build fields will contain a raw value if no identifiable keyboard
or client was identified
•Now for some examples …
Identifying Nessus scans
2015 CrowdStrike, Inc. All rights reserved. 11
Fields Values
cookie rdp_logon_screen.nbin
keyboard_layout English - United States
client_build RDP 5.1
client_hostname nessus
client_product_id (empty)
result -
encryption_level -
encryption_method -
Identifying RDP attacks
2015 CrowdStrike, Inc. All rights reserved. 12
Fields Values
cookie NCRACK_USER
keyboard_layout English - United States
client_build RDP 5.1
client_hostname NCRACK
client_product_id (empty)
result Success
encryption_level Client Compatible
encryption_method 128bit
Identifying anomalous RDP
2015 CrowdStrike, Inc. All rights reserved. 14
Fields Values
id.resp_p 443
cookie [redacted]
keyboard_layout English - United States
client_build RDP 8.0
client_hostname 172.24.6.147
client_product_id 8*\xa3\x97^T\xbc\x9a …
result Success
encryption_level Client Compatible
encryption_method 128bit
Challenges
2015 CrowdStrike, Inc. All rights reserved. 15
•Data availability
– Cookies (supposedly) only appear in load balanced environments
– Hostnames and product IDs are optional fields in MCS Connect Initial PDU
•SSL
– Only RDP artifact is optional cookie value
•Cookies have variable lengths and may be truncated
– Lengths range from 9 to ~127 characters
– Introduces issue where multiple users may appear to be a single user
• DOMAIN\samantha
• DOMAIN\sally
Testing and future work
•Available now: github.com/jshlbrd/bro.git / topic/jshlbrd/rdp
– Analyzer is functionally complete, but there is more to do
– Public test traces are also available: testing/btest/Traces/rdp
– Feedback and contributions are appreciated
•Future work
– Pass data to SSL and x509 analyzers when necessary
– Migrate scriptland event cleanup to core
• Hostname and product ID are currently formatted in scriptland
– Test on higher bandwidth networks (volunteers?)
2015 CrowdStrike, Inc. All rights reserved. 17
References
•Wireshark: http://wiki.wireshark.org/RDP
•MSDN: https://msdn.microsoft.com/en-us/library/cc240769.aspx
•Ncrack: http://nmap.org/ncrack/
•KYM: http://knowyourmeme.com/memes/shut-up-and-take-my-money
2015 CrowdStrike, Inc. All rights reserved. 19