Analyzing RDP traffc with Bro

Analyzing RDP traffic with BroBro4Pros 2015

Josh Liburdi, CrowdStrike Services

Background and contact info

2015 CrowdStrike, Inc. All rights reserved. 2

•Two years experience using Bro every day in large and small

enterprise production environments

– Environments range from two to 400+ NSM sensors

•Focus on scalable threat detection scripts and core extensions

•Contact details

– [email protected]

– @jshlbrd

CrowdStrike + Bro


•Leveraged by the CrowdStrike Services team

– Reactive: Incident response

– Proactive: Adversary assessments

•Built for incident response

– CrowdStrike Intelligence Bro Intel framework

– Signature-free intrusion detection scripts

• Adversary TTPs (Hurricane Panda’s rogue DNS), targeted malware (PlugX C2)

– Customized core, framework, and logging extensions

•PS: we’re recruiting

Why analyze RDP?


•Significant part of enterprise network activity

– Analysis allows users to gain deeper insight into network activity

•Commonly utilized by attackers to move laterally throughout

compromised networks

– Other commonly utilized protocol is SMB

• “But isn’t RDP encrypted?”

– It is, but useful data can still be collected

Analyzing RDP via conn.log


•Multiple assumptions required

•No pcap means no validation

event connection_state_remove(c: connection)

{

if ( c$id$resp_p == 3389/tcp

&& /D.*d/ in c$history

&& c$conn$orig_bytes >= 1000

&& c$conn$resp_bytes >= 1000 )

print "found RDP?";

}

Analyzer use and requirements


•Primary use: track compromised user accounts during IR

– Monitor attacker movement in compromised networks

•Secondary use: identify anomalous access

– Monitoring RDP activity over extended periods of time may reveal anomalous,

unauthorized activity

•Primary requirements

– Detect RDP on non-standard ports

– Log RDP usernames

– Confirm if an RDP connection attempt was successful

RDP connection sequence


•Connection sequence is made up of 10 phases

•Analyzer inspects first two phases (initiation and basic settings exch.)

– Lots of useful data in these two phases

– More phases could be analyzed if connection is not encrypted (but most are)

Analyzer functionality


•Adds RDP as a service to conn.log (DPD)

•Detects RDP on non-standard ports (DPD)

•Logs key RDP connection sequence data to rdp.log

– Cookie (typically a username)

– Client hostname

– GCC result

•Accurately parses first two connection sequences

Analyzer output – rdp.log


Fields Values

cookie A70067

keyboard_layout English - United States

client_build RDP 5.1

client_hostname ISD2-KM84178

client_product_id 55274-OEM-0011903-

00107

result Success

encryption_level High

encryption_method 128bit

Analyzer in use


•Running in 9 different production environments (~1G links)

•Achieves original requirements and more

– Confirm RDP connection attempts

– Track compromised user accounts (RDP cookie)

– Baseline activity and identify anomalous use based on cookie, hostname, and

product_id

– Identify non-Windows / non-standard RDP clients

• keyboard_layout and client_build fields will contain a raw value if no identifiable keyboard

or client was identified

•Now for some examples …

Identifying Nessus scans


Fields Values

cookie rdp_logon_screen.nbin



client_hostname nessus

client_product_id (empty)

result -

encryption_level -

encryption_method -

Identifying RDP attacks


Fields Values

cookie NCRACK_USER



client_hostname NCRACK

client_product_id (empty)

result Success

encryption_level Client Compatible


Ncrack – High speed network auth cracking tool


Identifying anomalous RDP


Fields Values

id.resp_p 443

cookie [redacted]



client_hostname 172.24.6.147

client_product_id 8*\xa3\x97^T\xbc\x9a …

result Success

encryption_level Client Compatible


Challenges


•Data availability

– Cookies (supposedly) only appear in load balanced environments

– Hostnames and product IDs are optional fields in MCS Connect Initial PDU

•SSL

– Only RDP artifact is optional cookie value

•Cookies have variable lengths and may be truncated

– Lengths range from 9 to ~127 characters

– Introduces issue where multiple users may appear to be a single user

• DOMAIN\samantha

• DOMAIN\sally


Testing and future work

•Available now: github.com/jshlbrd/bro.git / topic/jshlbrd/rdp

– Analyzer is functionally complete, but there is more to do

– Public test traces are also available: testing/btest/Traces/rdp

– Feedback and contributions are appreciated

•Future work

– Pass data to SSL and x509 analyzers when necessary

– Migrate scriptland event cleanup to core

• Hostname and product ID are currently formatted in scriptland

– Test on higher bandwidth networks (volunteers?)


Questions?


References

•Wireshark: http://wiki.wireshark.org/RDP

•MSDN: https://msdn.microsoft.com/en-us/library/cc240769.aspx

•Ncrack: http://nmap.org/ncrack/

•KYM: http://knowyourmeme.com/memes/shut-up-and-take-my-money


Technology

Analyzing RDP traffc with Bro