I was just working in the NOC for HackFest 2018 in Quebec City (https://hackfest.ca/en/) and playing with RDP traffic to see who was potentially accessing remote systems on the network.
This was inspired by this deck from Brocon and some recent enhancements to the RDP parser. (https://www.bro.org/brocon2015/slides/liburdi_hunting_rdp.pdf)
Recent enhancements to the RDP parser include extracting the screen resolutions, the username as well as the hostname, certificate and other details.
With some simple charting language we can create a number of rules that look for various properties of RDP traffic based on direction (Should you have RDP inbound from the internet?, should you have RDP outbound to the internet?) as well as volume based rules (which system has the most RDP session logins by unique username?, which system connects to the most systems by distinct count of ip?)
The report language is hosted here, simply import it into your Reporting Engine and point it at your packet broker/concentrators.
GitHub - epartington/rsa_nw_re_rdp: RDP summary reports for hunting/identification
Please let me know if there are modifications to the Report that make it more useful to you.
Rules included in the report:
- most frequent RDP hostnames
- most frequent RDP keyboard languages
- least frequent RDP keyboard languages
- Outbound/Inbound/Lateral RDP traffic
- Most frequent RDP screen resolutions
- Most frequent RDP Usernames
- Usernames by distinct destination IP
- RDP Hosts with more than 1 username from them
