Pro Yearly is on sale from $80 to $50! »

Analyzing RDP traffic with Bro

058816a96b488b8336ebcf7cee71d17a?s=47 jshlbrd
February 19, 2015

Analyzing RDP traffic with Bro

Presented at Bro4Pros 2015 in San Francisco, CA, this slide deck reviews technical details and use cases for the (then new) Bro RDP protocol analyzer.

058816a96b488b8336ebcf7cee71d17a?s=128

jshlbrd

February 19, 2015
Tweet

Transcript

  1. Analyzing RDP traffic with Bro Bro4Pros 2015 Josh Liburdi, CrowdStrike

    Services
  2. Background and contact info 2015 CrowdStrike, Inc. All rights reserved.

    2 • Two years experience using Bro every day in large and small enterprise production environments – Environments range from two to 400+ NSM sensors • Focus on scalable threat detection scripts and core extensions • Contact details – josh.liburdi@crowdstrike.com – @jshlbrd
  3. CrowdStrike + Bro 2015 CrowdStrike, Inc. All rights reserved. 3

    • Leveraged by the CrowdStrike Services team – Reactive: Incident response – Proactive: Adversary assessments • Built for incident response – CrowdStrike Intelligence à Bro Intel framework – Signature-free intrusion detection scripts •  Adversary TTPs (Hurricane Panda’s rogue DNS), targeted malware (PlugX C2) – Customized core, framework, and logging extensions • PS: we’re recruiting
  4. Why analyze RDP? 2015 CrowdStrike, Inc. All rights reserved. 4

    • Significant part of enterprise network activity – Analysis allows users to gain deeper insight into network activity • Commonly utilized by attackers to move laterally throughout compromised networks – Other commonly utilized protocol is SMB • “But isn’t RDP encrypted?” – It is, but useful data can still be collected
  5. Analyzing RDP via conn.log 2015 CrowdStrike, Inc. All rights reserved.

    5 • Multiple assumptions required • No pcap means no validation event connection_state_remove(c: connection)! {! if ( c$id$resp_p == 3389/tcp ! && /D.*d/ in c$history ! && c$conn$orig_bytes >= 1000! && c$conn$resp_bytes >= 1000 )! print "found RDP?";! }!
  6. Analyzer use and requirements 2015 CrowdStrike, Inc. All rights reserved.

    6 • Primary use: track compromised user accounts during IR – Monitor attacker movement in compromised networks • Secondary use: identify anomalous access – Monitoring RDP activity over extended periods of time may reveal anomalous, unauthorized activity • Primary requirements – Detect RDP on non-standard ports – Log RDP usernames – Confirm if an RDP connection attempt was successful
  7. RDP connection sequence 2015 CrowdStrike, Inc. All rights reserved. 7

    • Connection sequence is made up of 10 phases • Analyzer inspects first two phases (initiation and basic settings exch.) – Lots of useful data in these two phases – More phases could be analyzed if connection is not encrypted (but most are)
  8. Analyzer functionality 2015 CrowdStrike, Inc. All rights reserved. 8 • Adds

    RDP as a service to conn.log (DPD) • Detects RDP on non-standard ports (DPD) • Logs key RDP connection sequence data to rdp.log – Cookie (typically a username) – Client hostname – GCC result • Accurately parses first two connection sequences
  9. Analyzer output – rdp.log 2015 CrowdStrike, Inc. All rights reserved.

    9 Fields Values cookie A70067 keyboard_layout English - United States client_build RDP 5.1 client_hostname ISD2-KM84178 client_product_id 55274- OEM-0011903-00107 result Success encryption_level High encryption_method 128bit
  10. Analyzer in use 2015 CrowdStrike, Inc. All rights reserved. 10

    • Running in 9 different production environments (~1G links) • Achieves original requirements and more – Confirm RDP connection attempts – Track compromised user accounts (RDP cookie) – Baseline activity and identify anomalous use based on cookie, hostname, and product_id – Identify non-Windows / non-standard RDP clients •  keyboard_layout and client_build fields will contain a raw value if no identifiable keyboard or client was identified • Now for some examples …
  11. Identifying Nessus scans 2015 CrowdStrike, Inc. All rights reserved. 11

    Fields Values cookie rdp_logon_screen.nbin keyboard_layout English - United States client_build RDP 5.1 client_hostname nessus client_product_id (empty) result - encryption_level - encryption_method -
  12. Identifying RDP attacks 2015 CrowdStrike, Inc. All rights reserved. 12

    Fields Values cookie NCRACK_USER keyboard_layout English - United States client_build RDP 5.1 client_hostname NCRACK client_product_id (empty) result Success encryption_level Client Compatible encryption_method 128bit
  13. Ncrack – High speed network auth cracking tool 2015 CrowdStrike,

    Inc. All rights reserved. 13
  14. Identifying anomalous RDP 2015 CrowdStrike, Inc. All rights reserved. 14

    Fields Values id.resp_p 443 cookie [redacted] keyboard_layout English - United States client_build RDP 8.0 client_hostname 172.24.6.147 client_product_id 8*\xa3\x97^T\xbc\x9a … result Success encryption_level Client Compatible encryption_method 128bit
  15. Challenges 2015 CrowdStrike, Inc. All rights reserved. 15 • Data availability

    – Cookies (supposedly) only appear in load balanced environments – Hostnames and product IDs are optional fields in MCS Connect Initial PDU • SSL – Only RDP artifact is optional cookie value • Cookies have variable lengths and may be truncated – Lengths range from 9 to ~127 characters – Introduces issue where multiple users may appear to be a single user •  DOMAIN\samantha •  DOMAIN\sally
  16. 2015 CrowdStrike, Inc. All rights reserved. 16

  17. Testing and future work • Available now: github.com/jshlbrd/bro.git / topic/jshlbrd/rdp – Analyzer

    development is complete, but there is more to do – Public test traces are also available: testing/btest/Traces/rdp – Feedback and contributions are appreciated • Future work – Pass data to SSL and x509 analyzers when necessary – Migrate scriptland event cleanup to core •  Hostname and product ID are currently formatted in scriptland – Test on higher bandwidth networks (volunteers?) 2015 CrowdStrike, Inc. All rights reserved. 17
  18. Questions? 2015 CrowdStrike, Inc. All rights reserved. 18

  19. References • Wireshark: http://wiki.wireshark.org/RDP • MSDN: https://msdn.microsoft.com/en-us/library/cc240769.aspx • Ncrack: http://nmap.org/ncrack/ • KYM: http://knowyourmeme.com/memes/shut-up-and-take-my-money 2015

    CrowdStrike, Inc. All rights reserved. 19
  20. None