NetWitness Community

Introduction:

 

Simulating an RDP Misconfiguration: A Red Team vs. Blue Team Exercise

 

This blog post details a simulated attack on a misconfigured Remote Desktop Protocol (RDP) server, showcasing how a seemingly minor configuration error can lead to complete server compromise. We'll explore the tools employed by both the attackers (Red Team) and defenders (Blue Team) to illustrate the importance of robust security measures.

 

The Scenario: Exploiting a Vulnerable RDP Server

Our scenario hinges on a misconfigured RDP server, a common vulnerability that attackers actively exploit. By leveraging a single weakness, we'll demonstrate how a Red Team can gain complete control of the server.

 

• Red Team Arsenal:

 

-Nmap: This versatile network scanner helps identify open ports and services on the target server, providing valuable reconnaissance information.

-Hydra: A powerful password cracking tool, Hydra can be used to brute-force login credentials for RDP access.

-Remmina: Once valid credentials are obtained, Remmina allows remote desktop access to the compromised server.

-Sliver C2 Framework: This advanced tool provides a command-and-control (C2) platform for the Red Team to execute commands, upload malicious tools, and maintain persistence on the compromised server.

 

• Blue Team's Defense Strategy:

            The Blue Team utilizes a multi-layered security approach to detect and respond to the attack:

 

• Netwitness: This comprehensive security platform provides real-time network traffic analysis, enabling the Blue Team to identify suspicious activity.
• Sysmon Logs: System Monitor (Sysmon) is a Windows utility that generates detailed system event logs, offering valuable forensic data for the Blue Team.
• Netwitness EDR: This Endpoint Detection and Response (EDR) solution by Netwitness extends security beyond the network, providing endpoint visibility and threat detection capabilities.
• Windows Security Logs: Native Windows security logs offer insights into login attempts, file access, and other system activities, aiding in threat investigation.
• Netwitness NDR: Network Detection and Response (NDR) functionality within Netwitness allows for continuous network traffic monitoring and threat detection.
• VirusTotal: This online service helps analyze suspicious files or URLs, providing insights into potential malware threats.

 

 

• Resources for Further Exploration:
• Hydra: https://github.com/vanhauser-thc/thc-hydra
• Nmap: https://nmap.org/
• Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Sliver: https://github.com/BishopFox/sliver
• VirusTotal: https://www.virustotal.com/

 

• Conclusion:

This simulation emphasizes the critical role of secure RDP configurations and the importance of a layered security approach. By employing advanced network monitoring tools like Netwitness, security teams can effectively detect and respond to various attack vectors, minimizing the impact of potential breaches.

 

• Additional Considerations:

This blog post is for educational purposes only. Do not attempt these actions on unauthorized systems.

 

 

The Attack:

 

 

 

 

 

 

 

Red-Team Activity:

• Recon

As we checked the provided subnet 192.168.255.0/24 using NMAP we found one machine up and running.

 

 

Digging more into some of the open ports RDP 3389 to collect more information about the environment.

 

 

 

Recon Results

 - Active machine 192.168.255.187

- 14 open ports

- Domain name “AGENT01”

 

 

 

• Initial Access

Utilizing the wordlist to gain access using brute force by hydra we could successfully break in.

 

 

Let’s try to connect using Remmina by the username, password and the domain gained previously.

 

 

Now we are in and can confirm that user “netwi” has full admin privilege on the machine.

 

 

 

 

• Persistence

Let’s not relay only on the RDP connection, and inject our backdoor into the system. As we gained admin access to the machine we can do almost anything.

               - Resource development:

                              - Using Sliver to craft our customized payload

                              - Setting our HTTP listener

                              - Generating our beacon, using our Kali machine and port 80 for connection

 

 

       

 

 

 

 

 

 

 

 

 

• Payload Delivery
• Setting up our Kali machine as http server to host the payload
• Download the payload by the user compromised earlier

 

 

 

 

 

 

 

 

• Execution
• Using the compromised account to execute the payload
• Wait for our C2 to receive the connection

 

 

 

• Persistence
• Setting up our payload at auto run registry keys to ensure persistence

 

 

 

 

 

 

 

• Exfiltration
• Using our new backdoor to exfiltrate some file from to our Kali Machine

 

 

 

• As per MITRE ATT&CK framework the below tactics were executed.
• - Recon > Active scanning
• - Resource development > Develop Capabilities
• - Initial access > Valid accounts
• - Execution > User execution - Persistence > Boot or logon autostart execution
• - Exfiltration > Exfiltration over C2 Channel

 

 

 

 

 

 

 

Detection:

• ESA alarm was triggered as alerting A machine was exposed to brute force attack.

 

 

 

 

 

• Upon investigation to narrow our scope, let’s focus on the IP reported.
• It seems that the attacker IP switched from source to destination
• This maybe indicator of reverse shell

 

 

 

 

 

 

 

 

• Searching for event id 4624 associated with attacker IP to confirm the attacker logged in successfully or not

 

 

 

• To have a better time frame of the breach, we can focus on windows terminal service event ids (24 & 25)
• From those logs it seems that the attacker only lasted on the machine around 20 mins

 

 

 

 

 

• Shifting our scope to the traffic where the attacker IP works as dst IP
• Around 200 logs, most of them are Sysmon logs event id 3, which indicates network connection created
• Excluding Sysmon, to analyze endpoint logs, we noticed edge connection on port 8080
• Another connection on 80 caused by executable file name PAYABLE_RHYTHM.exe

 

 

 

 

 

 

 

 

 

 

 

 

• Investigating PAYABLE_RHYTHM.exe further, to collect more information on this exe file.
• We noticed that it was downloaded by msedge
• Sysmon logs shows the hash stream, can be used to lookup for this has on VT
• MS Defender seems to open this executable file, but didn’t recognize it as malicious
• It was executed by explorer, maybe during the RDP session

 

 

 

 

 

 

 

 

 

• Another important Metas to check during the investigation are (IOC & BOC)
• We Noticed modification on the Run key, adding PAYABLE_RHYTM.exe
• This action mostly for keeping a continus backdoor on the infected machine

 

 

 

 

 

• EDR investigation:
• After checking logs provided, it’s time to shift our investigation on the affected host
• Using Netwitness Hosts page for EDR
• Analyzing the previous processes (PAYABLE_RHYTHM.exe, msedge.exe & explorer.exe)
• The path of PAYABLE_RHYTHM.exe is ended the download, which confirms our previous findings
• Regedit, msedge & PAYABLE_RHYTHM.exe has the same PPID

 

 

 

 

 

 

 

• NDR Investigation:
• Let’s the Network captured logs by Netwitness NDR, if any of the traffic transactions could be sniffed.
• We could see the get request, noticed on msedge on port 8080
• As we went through the corresponding post request, we noticed some of files was hosted on the affected machine.
• It seems that the attacker also exfiltrated some of the files

 

 

 

 

 

 

 

• Trying to sniff traffic initiated by PAYABLE_RHYTHM.exe, to have more details about this connection
• We Noticed encrypted traffic, with POST requests.
• This seems to be C2 server requests from the victim to Attackers IP

 

 

 

 

 

 

 

 

• OSNIT (VT)
• Looking for Hash files on VT, but it seems that nothing related
• Uploading the EXE file, to get more details about it.
• It seems that it’s a Trojan file, collecting those artifacts to add it as IOC

 

 

 

 

 

 

 

 

 

• IOCs Collected

IOC Name	IOC Value
Attacker IP	192.168.255.186
Executable name	PAYABLE_RHYTHM.exe
Executable MD5 Hash	f0db2499b26a8da4b1cd27b4405c1c79
.text MD5 Hash	addff6286c652639e10e4a6cd8af37c0
.rdata MD5 Hash	f41bcff03d7cbe853ec37fc61f08bc10
.data MD5 Hash	323e00420e0ee833bdcfcee530367390

 

 

 

 

• Conclusion:
•  Tightening WAN Security in the Face of Rising Cyberattacks
•  The ever-growing threat landscape necessitates robust security controls for services exposed on Wide Area Networks (WANs). This report highlights several critical security measures that can significantly impede or even prevent attacks on such systems.
•  · Restricting Unnecessary RDP Access: Leaving RDP connections open to the WAN can be a security vulnerability. If remote desktop access isn't a core function of the service, consider blocking RDP connections from WAN addresses. This reduces the attack surface and minimizes potential entry points.
•  · Enforcing Strong Password Policies: Implementing password lockout policies after a certain number of failed login attempts deters brute-force attacks. Additionally, mandating complex passwords with a combination of uppercase and lowercase letters, numbers, and symbols further strengthens authentication. Furthermore, using unique username formats that deviate from common patterns makes credential guessing more challenging for attackers.
• · Principle of Least Privilege: The concept of segregation of duties dictates that users should only have the minimum level of access required to perform their tasks. Avoid granting administrative privileges to everyday user accounts. This principle minimizes the potential damage if an attacker compromises a user account.
• By implementing these security controls, organizations can significantly enhance the security posture of their WAN-exposed services and mitigate the risk of cyberattacks