Microsoft Terminal Services Remote Desktop Protocol (RDP) is a great feature that allows the interactive use or administration of a remote Windows system.

However, it can be also used by an attacker, with compromised domain credentials, to move laterally across the local network.

A best practice: network baselining

A best practice used to identify this type of activity is suggested by FireEye in this article, based on a network baselining:

To do this, an organization must first understand what is normal behavior for their specific environment, and then begin to configure detections based on unexpected patterns.

Once defined the baseline, the next step is the identification of RDP activity using event logs.

I've already written something about the identification of lateral movement using event logs (here), using as starting point a paper by Japan Computer Emergency Response Team.

On page 43 there are some useful information:

Furthermore, in this article by Jonathon Poling, there is a good analysis of windows event logs involved in RDP activities:

I debated back and forth on the best way to sort/group these. Ultimately, in truly pragmatic fashion, I figured it would likely be most useful to sort them in the (chronological) order in which you might expect to find them. Ergo, the flow/section breakup is the following:

Network Connection
-->Session Disconnect/Reconnect

Obviously, this analysis activity can also be automated using some tools such as this parser developed by Mike Crowley using Powershell:

This script reads the event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" from multiple servers and outputs the human-readable results to a CSV.

FireEye reccomendations

Finally, I think would be useful to share a checklist some recommendation by FireEye focused on RDP hardening:

  1. Disable the remote desktop service on end-user workstations and laptops, as well as systems where the service is not required for remote connectivity.
  2. Where connectivity using RDP is required, implement a combination of host and network-based controls to enforce that RDP connectivity must be initiated from specific jump boxes and centralized management servers for remote connection to endpoints.
  3. Host-based firewall rules that explicitly deny inbound RDP connections provide enhanced protections, especially for remote users that may utilize their system at locations outside of an organization’s managed infrastructure. Use host-based firewall rules to:
    • Deny inbound RDP connections by default.
    • When required, explicitly permit inbound RDP only from IP addresses correlating to authorized jump boxes.
  4. Employ the “Deny log on through Remote Desktop Services” security setting to prevent standard users from connecting to endpoints using RDP.
    • Ideally, this setting should also deny RDP access for privileged accounts (e.g. domain administrators, service accounts) on endpoints, as these types of accounts are commonly leveraged by attackers for laterally moving to sensitive systems within an environment.
  5. Prevent the use of RDP using local accounts by:
    • Installing KB2871997, and adding the SID “S-1-5-114: NT AUTHORITY\Local account and member of Administrators group” to the “Deny log on through Remote Desktop Services” security setting on endpoints. This can be accomplished by using Group Policy.
    • Randomizing passwords for the built-in local administrator account on endpoints with a solution such as Microsoft LAPS.
  6. Ensure that EID 21, EID 23, EID 24, and EID 25 within the “TerminalServices LocalSessionManager Operational” event log are being captured and forwarded to a SIEM or log aggregator.
  7. Confirm that EID 4624 within the “Security” event log is being captured and forwarded to a SIEM or log aggregator.
  8. Increase the maximum size of the “TerminalServices LocalSessionManager Operational” and event log to at least 500 MB. This can be accomplished by using Group Policy Preferences (GPP) to modify the “MaxSize” registry value within the registry key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TerminalServices-LocalSessionManager/Operational” on endpoints.
  9. Increase the maximum size of the “Security” event log to at least 1 GB.
  10. Monitor for evidence of the “Security” and “TerminalServices LocalSessionManager Operational” event logs being cleared (EID 1102).
  11. Create and regularly update documentation that maps user accounts and hostnames to business units.
  12. Ensure DHCP logs are archived and easily accessible to correlate source system IP addresses with their hostname at the time of a logon event.

References and further readings