Fraud Management & Cybercrime , Network Detection & Response , Network Firewalls, Network Access Control
Remote Desktop Protocol: An Active Adversary Special Report
What is RDP, why is it a very nearly ubiquitous finding in incident response, and how can investigators run it to ground when it goes wrong? An Active Adversary Special ReportRemote Desktop Protocol (RDP) was developed by Microsoft to allow users, administrators, and others to connect to remote computers over a network connection using a handy graphical user interface (GUI). The tools required for this come as standard on Microsoft Windows; to initiate and set up an RDP connection, all the tools required to do that are present by default. This is why RDP is used extensively throughout networks by users and administrators to access remote machines.
See Also: How to Unlock the Power of Zero Trust Network Access Through a Life Cycle Approach
Unfortunately, it’s also commonly abused by ransomware groups – so commonly, in fact, that in our regular Active Adversary Reports our editors are forced to treat RDP differently in graphics so other findings are even visible. And RDP abuse is on the rise according to numbers from the past few years of incident-response data as collected by the Sophos Active Adversary Report team. In the most recent Active Adversary Report, you’ll see that RDP has now cracked the 90 percent mark – that is, nine out of 10 IR cases include RDP abuse.
To provide context and advice for administrators and responders looking to deal with RDP, we’re publishing an entire package of resources – videos, companion articles with additional information, and a constellation of additional scripts and information on our GitHub repository. We’re doing this both to share our Active Adversary team’s research beyond the usual long-form reports we issue, and to provide what we hope is a useful set of resources for handling one of infosec’s more annoying chronic ailments.
From an attacker’s point of view, targeting RDP is a natural choice. Most significantly, it’s a Microsoft-provided tool (so, a living-off-the-land binary, or LOLBin) that blends in with typical user and administrative behavior. Its usage alone isn’t apt to draw attention if no one’s keeping an eye out for it, and an attacker need not bring in additional tools that may be detected by EDR or other anti-intrusion tools. RDP also has a relatively pleasant graphical user interface that lowers the skill barrier for attackers to browse files for exfiltration, and to install and use various applications.
Attackers also know that RDP is commonly misconfigured or misused within an environment, both on servers and occasionally on endpoints themselves. The next article in this RDP collection looks at just how common such exposure is, and whether measures such as switching off RDP’s usual 3389 port makes a difference.
Rounding out the dismal RDP picture, we see self-owns such as lack of segregation, use of weak credentials, disabling (by administrators) of potential protections such as NLA (network-level authentication) , and flagrant disregard for best practices such as least privilege. On the brighter side, there are useful, sturdy queries that can give great insight into precisely how RDP is in use on your network… if you know where to look.
So, to provide context and advice for administrators and responders looking to deal with RDP, we’re starting with an entire package of resources – six videos, six companion articles with additional information, and a constellation of additional scripts and information on our GitHub – with more to be added over time as events dictate.
To learn more visit Sophos Active Adversary Report H1 2024