Detection of RDP Hijacking

Delaware, USA – September 19, 2017 – The possibility of RDP session hijacking in Microsoft Windows is known since 2011. In March of this year researcher Alexander Korznikov described detailed methods of hijacking in his blog. At the moment there are about 2.5 million open RDP servers in the world, and, according to the research, approximately 0.5% of them are already compromised using one of these methods. This threat affects all server OS and the number of servers using RDP is constantly increasing.

Adversaries can use these methods both for penetration and for lateral movement within the company’s perimeter. To prevent hijacking of RDP sessions, it is recommended to use two-factor authentication, but, unfortunately, this is not always possible. It is quite difficult to detect the use of this backdoor. Thus, Sysmon Framework for ArcSight and Sysmon Integration Framework for Splunk have been updated. Now they not only help to detect APT activities or data leakage but also warn the administrator about the run of malicious commands in order to steal the RDP session. To speed up development of Sysmon Framework for QRadar, you can vote for it in Use Case Cloud. You can also use the Windows Security Monitor use case to monitor security events in the areas of access control, user management, group management and maintenance of systems and services.

Sysmon Framework for ArcSight – https://ucl.socprime.com/use-case-library/info/425/
Sysmon Integration Framework for Splunk – https://ucl.socprime.com/use-case-library/info/391/

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.