![]() Lastly, a detection should be in place to promptly review anomalous RDP connections to deconflict them with approved system administration activity. Secondly, adopting a centralized jump server, which only admins can access with MFA and blocking at the network level other system to system RDP is a strong preventative control. The overwhelming majority of users do not need this access. The first item to check off the box is to restrict by role, which accounts can access other systems using RDP. Securing RDP access can be difficult for many companies, but it is a project worthy of investment. Similar to Incident #1, the threat actor was able to RDP unencumbered across the organization’s infrastructure. Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Event ID - RDP connection establishedĮvent ID: 25 - Remote Desktop Services: Session reconnection succeededĮvent ID: 24 - Remote Desktop Services: Session has been disconnectedĮvent ID RDP Type "3" from IP: - Device: There were no network restrictions on Remote Desktop Protocol (RDP), and the threat actor was able to move freely across the network as a result, this activity was captured by multiple event types. title: Listing Directories of Remote Hostsĭescription: Threat actors can use windows binaries and commands to discover interesting to them directories on remote hosts and redirect the output to a file on disc for later consumption. ![]() We have also included an example Sigma detection rule for the activity shown in incident #1. Additionally, just like high value business data, access to both the tool and the output of vulnerability scanners and asset discovery applications should be restricted and audited. This has the added benefit of reducing shadow IT risk as well. Understanding the intention of a dual-use tool being executed is challenging however, it’s best practice to document which tools are approved for corporate use and block all others by default until they can be reviewed.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |