Analyzing RDP traffic with Bro Bro4Pros 2015 Josh Liburdi, CrowdStrike Services

Background and contact info 2015 CrowdStrike, Inc. All rights reserved. 2 • Two years experience using Bro every day in large and small enterprise production environments – Environments range from two to 400+ NSM sensors • Focus on scalable threat detection scripts and core extensions • Contact details – josh.liburdi@crowdstrike.com – @jshlbrd

CrowdStrike + Bro 2015 CrowdStrike, Inc. All rights reserved. 3 • Leveraged by the CrowdStrike Services team – Reactive: Incident response – Proactive: Adversary assessments • Built for incident response – CrowdStrike Intelligence à Bro Intel framework – Signature-free intrusion detection scripts •  Adversary TTPs (Hurricane Panda’s rogue DNS), targeted malware (PlugX C2) – Customized core, framework, and logging extensions • PS: we’re recruiting

Why analyze RDP? 2015 CrowdStrike, Inc. All rights reserved. 4 • Significant part of enterprise network activity – Analysis allows users to gain deeper insight into network activity • Commonly utilized by attackers to move laterally throughout compromised networks – Other commonly utilized protocol is SMB • “But isn’t RDP encrypted?” – It is, but useful data can still be collected

Analyzing RDP via conn.log 2015 CrowdStrike, Inc. All rights reserved. 5 • Multiple assumptions required • No pcap means no validation event connection_state_remove(c: connection)! {! if ( c$id$resp_p == 3389/tcp ! && /D.*d/ in c$history ! && c$conn$orig_bytes >= 1000! && c$conn$resp_bytes >= 1000 )! print "found RDP?";! }!

Analyzer use and requirements 2015 CrowdStrike, Inc. All rights reserved. 6 • Primary use: track compromised user accounts during IR – Monitor attacker movement in compromised networks • Secondary use: identify anomalous access – Monitoring RDP activity over extended periods of time may reveal anomalous, unauthorized activity • Primary requirements – Detect RDP on non-standard ports – Log RDP usernames – Confirm if an RDP connection attempt was successful

RDP connection sequence 2015 CrowdStrike, Inc. All rights reserved. 7 • Connection sequence is made up of 10 phases • Analyzer inspects first two phases (initiation and basic settings exch.) – Lots of useful data in these two phases – More phases could be analyzed if connection is not encrypted (but most are)

Analyzer functionality 2015 CrowdStrike, Inc. All rights reserved. 8 • Adds RDP as a service to conn.log (DPD) • Detects RDP on non-standard ports (DPD) • Logs key RDP connection sequence data to rdp.log – Cookie (typically a username) – Client hostname – GCC result • Accurately parses first two connection sequences

Analyzer output – rdp.log 2015 CrowdStrike, Inc. All rights reserved. 9 Fields Values cookie A70067 keyboard_layout English - United States client_build RDP 5.1 client_hostname ISD2-KM84178 client_product_id 55274- OEM-0011903-00107 result Success encryption_level High encryption_method 128bit

Analyzer in use 2015 CrowdStrike, Inc. All rights reserved. 10 • Running in 9 different production environments (~1G links) • Achieves original requirements and more – Confirm RDP connection attempts – Track compromised user accounts (RDP cookie) – Baseline activity and identify anomalous use based on cookie, hostname, and product_id – Identify non-Windows / non-standard RDP clients •  keyboard_layout and client_build fields will contain a raw value if no identifiable keyboard or client was identified • Now for some examples …

Identifying Nessus scans 2015 CrowdStrike, Inc. All rights reserved. 11 Fields Values cookie rdp_logon_screen.nbin keyboard_layout English - United States client_build RDP 5.1 client_hostname nessus client_product_id (empty) result - encryption_level - encryption_method -

Identifying RDP attacks 2015 CrowdStrike, Inc. All rights reserved. 12 Fields Values cookie NCRACK_USER keyboard_layout English - United States client_build RDP 5.1 client_hostname NCRACK client_product_id (empty) result Success encryption_level Client Compatible encryption_method 128bit

Ncrack – High speed network auth cracking tool 2015 CrowdStrike, Inc. All rights reserved. 13

Identifying anomalous RDP 2015 CrowdStrike, Inc. All rights reserved. 14 Fields Values id.resp_p 443 cookie [redacted] keyboard_layout English - United States client_build RDP 8.0 client_hostname 172.24.6.147 client_product_id 8*\xa3\x97^T\xbc\x9a … result Success encryption_level Client Compatible encryption_method 128bit

Challenges 2015 CrowdStrike, Inc. All rights reserved. 15 • Data availability – Cookies (supposedly) only appear in load balanced environments – Hostnames and product IDs are optional fields in MCS Connect Initial PDU • SSL – Only RDP artifact is optional cookie value • Cookies have variable lengths and may be truncated – Lengths range from 9 to ~127 characters – Introduces issue where multiple users may appear to be a single user •  DOMAIN\samantha •  DOMAIN\sally

2015 CrowdStrike, Inc. All rights reserved. 16

Testing and future work • Available now: github.com/jshlbrd/bro.git / topic/jshlbrd/rdp – Analyzer development is complete, but there is more to do – Public test traces are also available: testing/btest/Traces/rdp – Feedback and contributions are appreciated • Future work – Pass data to SSL and x509 analyzers when necessary – Migrate scriptland event cleanup to core •  Hostname and product ID are currently formatted in scriptland – Test on higher bandwidth networks (volunteers?) 2015 CrowdStrike, Inc. All rights reserved. 17

Questions? 2015 CrowdStrike, Inc. All rights reserved. 18

References • Wireshark: http://wiki.wireshark.org/RDP • MSDN: https://msdn.microsoft.com/en-us/library/cc240769.aspx • Ncrack: http://nmap.org/ncrack/ • KYM: http://knowyourmeme.com/memes/shut-up-and-take-my-money 2015 CrowdStrike, Inc. All rights reserved. 19

No content