Forensic analysis on real incidents inside Microsoft Remote Desktop Services

In the last few years, with the rise of remote work and cloud computing, the number of incidents in which attackers connect via RDP directly to Windows hosts has significantly risen, making it one of the most frequent entry points to company networks. In various corporate environments, Microsoft Remote Desktop Services (RDS) (previously known as Terminal Services) is deployed to easily handle multiple RDP sessions. Therefore, multiple threat actors and malware campaigns target RDS infrastructures because in practice, they are exposed to the Internet. These intrusions are difficult to detect because no malware/backdoor is executed for remote access. Incident responders need to be familiar with this infrastructure’s specificities to successfully conduct an investigation on an RDS compromise.

This presentation is based on the RDS infrastructure and its different technical components. From deployment architectures to forensics artifacts, the aim of this talk is to present relevant elements in the context of an analysis. By explaining how the threats are deployed, and how they can be tracked, this talk aims to outline an investigation methodology which is based on real-world attacks.

This will be achieved by showing demos about attacks based on a set of known Tactics, Techniques, and Procedures (TTPs) used by real threat actors to go from initial access to a full compromise, for instance a ransomware deployment once domain dominance is achieved. After each attack, the purpose is to identify the traces left by reviewing endpoint logs, like Windows Event logs and Sysmon logs, as well as AV/EDR logs like those from Windows Defender, among others. In the end, to ease the life of incident response teams, a tool handling RDS forensics will be publicly released.

Introduction and problematic overview

• Why use remote access solutions (VPN, VDI and RDS)?
• Short presentation of the most popular remotely hosted virtual desktops solutions: Citrix XenApp & XenDesktop, VMware Horizon and Microsoft RDS

Focus on Microsoft Remote Desktop Services (RDS) aka Terminal Services

• Remote Desktop Services roles
  • RD Gateway, RD Web Access, RD Connection Broker, RD Session Hosts
• Remote Desktop Authorization Policies (RD CAPs & RD RAPs)
• RDS deployment on-premises and on the cloud

How to compromise and investigate an RDS infrastructure

This section highlights threat detection opportunities within each demo of real-world attacks.

• Threat landscape
  • Recent attacks exploiting RDS
  • Shodan results about exposed RDS infrastructures
• Gaining an initial foothold
  • A false sense of security with a RD Gateway
  • The attacks are similar to regular RDP compromises
  • Brute force/dictionary attacks, account compromise, or exploiting vulnerabilities
• Breaking out of RDS
  • Escaping restricted environments
• Additional compromise
  • Impair Defenses
  • Internal reconnaissance
  • Privilege escalation
• Examples of real-world attacks

How to protect against such attacks

• Recommendations & demos
  • Demos & forensics: Windows Defender Remote Credential Guard
  • General mitigation: improve logging, hardening, patch management, DMZ, VPN, bastions
• MFA solutions specifically designed for RDS