External Remote Services
External remote services play a pivotal role in modern business operations by facilitating remote access to internal enterprise network resources. These services include Virtual Private Networks (VPNs), Citrix, Windows Remote Management (WinRM), Virtual Network Computing (VNC), Secure Shell (SSH) and Remote Desktop Protocol (RDP). While essential for enabling remote work and administration, these services can also be exploited by adversaries to gain initial access to or persist within a network.
Virtual Private Networks (VPN)
How Attackers Use Virtual Private Networks (VPNs) to Gain Initial Access
Credential Theft: Attackers commonly use phishing campaigns to steal VPN credentials from users. By tricking users into revealing their login information through fake login pages or deceptive emails, attackers can capture these credentials. Malware such as keyloggers can also be used to capture login details directly from compromised systems. Attackers might also employ credential dumping tools to extract stored VPN credentials from devices they have already compromised.
Brute Force Attacks: Automated tools like Hydra and Medusa are frequently used to perform brute force attacks against VPNs, systematically attempting various username and password combinations until successful access is achieved. These attacks often include dictionary attacks, where lists of common passwords are used to guess the correct credentials.
Exploiting Vulnerabilities: Attackers exploit unpatched vulnerabilities in VPN software or protocols to bypass authentication mechanisms. For instance, flaws in the implementation of the VPN software can allow attackers to gain access without valid credentials, enabling them to infiltrate the network.
Session Hijacking: In session hijacking, attackers intercept active VPN sessions through man-in-the-middle (MitM) attacks. By capturing session tokens or cookies, attackers can hijack the session, gaining control without needing to authenticate. This often involves positioning themselves between the user and the VPN server to capture session data.
Malware Installation: Attackers deploy malware on endpoints to steal VPN credentials or create backdoors. Once installed, this malware can monitor and capture VPN traffic, sending the credentials back to the attacker, who then uses them to access the VPN.
Key Indicators of Compromise for VPNs
Unusual Login Patterns: Logins that occur during non-business hours, holidays, or weekends can indicate unauthorized access. Additionally, connections from geographical locations or IP addresses not typically associated with the user suggest potential compromise. Monitoring login times and locations can help identify these anomalies.
Multiple Failed Authentication Attempts: A surge in failed login attempts from a single IP address or user account suggests brute-force attacks. Patterns of incremental password attempts or frequent retry intervals further indicate the use of automated tools to guess passwords.
High Data Transfer: Sudden spikes in data transfer volumes through the VPN may suggest data exfiltration. Monitoring for unusual data transfer activities and setting baselines for normal usage can help detect these anomalies.
Unusual Protocol or Port Usage: The use of non-standard ports or unencrypted/plaintext VPN connections can signal suspicious activity. Ensuring that VPN traffic adheres to standard protocols and is encrypted is crucial for maintaining security.
Concurrent Sessions: Multiple active sessions from different locations or devices for the same user account could indicate credential sharing or compromise. Monitoring session activity and correlating it with normal user behavior can help identify unauthorized access.
Use of Outdated or Vulnerable VPN Clients: Connections using outdated VPN clients with known vulnerabilities may be exploited by attackers. Regularly updating VPN clients and enforcing the use of the latest software versions can mitigate this risk.
Unusual User Agent Strings: The use of unexpected or suspicious user agents during VPN connection attempts can indicate the presence of non-standard or malicious clients. Monitoring user agent strings can help detect and block unauthorized access attempts.
Example Scenario:
An attacker launches a phishing campaign targeting employees of an organization, tricking them into providing their VPN credentials. Using these stolen credentials, the attacker logs into the VPN, gaining access to the internal network. They then use this access to move laterally, exploring the network and extracting sensitive data. This activity generates unusual login patterns, multiple failed authentication attempts, and high data transfers to external IPs, all of which can be detected by vigilant monitoring and prompt further investigation.
Citrix
How Attackers Use Citrix to Gain Initial Access
Credential Theft: Attackers often deploy phishing campaigns to trick users into revealing their Citrix credentials. Additionally, malware such as keyloggers can be used to capture these credentials directly from compromised systems. Attackers may also employ credential dumping tools on previously compromised devices to extract stored Citrix credentials, enabling unauthorized access to Citrix environments.
Exploiting Known Vulnerabilities: Unpatched vulnerabilities in Citrix products, such as Citrix ADC (Application Delivery Controller) and Citrix Gateway, can be exploited to bypass authentication mechanisms. Attackers take advantage of these security flaws to gain unauthorized access without needing valid credentials, often through techniques like remote code execution.
Session Hijacking: Attackers intercept active Citrix sessions through man-in-the-middle (MitM) attacks, capturing session tokens or cookies. By doing so, they can hijack the session and gain control without needing to authenticate themselves, effectively taking over the user’s session and accessing sensitive resources.
Misconfigurations: Weak or incorrect configurations in Citrix environments can provide easy entry points for attackers. Misconfigurations such as allowing unrestricted access to administrative tools, not enforcing strong authentication methods, or using default credentials can be exploited by attackers to gain initial access.
Brute Force Attacks: Automated tools systematically attempt various username and password combinations to gain access. Attackers may also use credential stuffing, where they try credentials obtained from other breaches on Citrix services, hoping for a match.
Key Indicators of Compromise for Citrix
Unauthorized Application Access: Attempts to access applications or files not typically used by the user suggest privilege abuse or an attacker exploring the environment. Monitoring access patterns and comparing them to normal usage can help identify such unauthorized attempts.
Suspicious File Transfers: Large or unusual file uploads/downloads through Citrix services, such as ShareFile, can signal data exfiltration. Implementing data loss prevention (DLP) solutions and monitoring file transfer activities can help identify and mitigate these attempts.
Abnormal Session Duration: Sessions that last significantly longer or shorter than usual may indicate automated scripts or tools being used by attackers. Establishing baselines for normal session durations and monitoring for deviations can help detect suspicious activities.
Unusual Application Usage: Access to administrative tools or applications outside the user’s role or department can suggest privilege escalation attempts. Enforcing role-based access control (RBAC) and monitoring application usage can help prevent unauthorized access.
Geographical Anomalies: Logins from unfamiliar countries or rapid location changes can indicate unauthorized access. Implementing geofencing and IP whitelisting can help restrict access to known locations and reduce the risk of compromise.
Unrecognized Devices: Connections from devices not previously registered or recognized by the Citrix environment can indicate unauthorized access. Monitoring for new or unknown devices and enforcing device registration policies can help detect and prevent unauthorized connections.
Example Scenario:
An attacker exploits a known vulnerability in an unpatched Citrix Gateway to bypass the authentication process and gain initial access to the network. Once inside, they use captured session tokens to hijack active user sessions, giving them access to sensitive applications and data. This activity generates unusual login patterns, unauthorized application access attempts, and suspicious file transfers, all of which can be detected by vigilant monitoring and analysis. Prompt investigation of these indicators can help mitigate the impact of the breach.
Windows Remote Management (WinRM)
How Attackers Use Windows Remote Management (WinRM) to Gain Initial Access
Credential Theft: Attackers commonly utilize phishing campaigns and malware to steal credentials required for accessing WinRM. Phishing emails trick users into revealing their login information, while malware such as keyloggers capture these details directly from compromised systems. Additionally, attackers might use tools like Mimikatz to dump credentials from memory on already compromised machines.
Brute Force Attacks: Automated tools systematically attempt various username and password combinations until they succeed in gaining access to WinRM. These brute force attacks often include dictionary attacks, where attackers use lists of common passwords to guess the correct credentials.
Misconfiguration Exploitation: Weak or incorrect configurations, such as enabling WinRM on systems where it is not typically used, can provide easy entry points for attackers. Misconfigured WinRM settings, such as allowing unencrypted traffic or not enforcing strong authentication, can be exploited to gain unauthorized access.
Exploiting WinRM-Specific Vulnerabilities: Vulnerabilities within the WinRM service or associated protocols can be exploited to bypass authentication mechanisms. Attackers may leverage flaws in the software to execute commands remotely without needing valid credentials.
Privilege Escalation via WinRM: After gaining initial access, attackers often use WinRM to execute PowerShell scripts or administrative commands to escalate their privileges. This can involve running scripts that modify user roles, disable security controls, or further infiltrate the network.
Key Indicators of Compromise for WinRM
Unexpected WinRM Activation: Enabling WinRM on systems where it was previously disabled or not typically used can indicate preparatory steps taken by an attacker. Regular audits of system configurations can help detect unauthorized changes.
Suspicious Command Execution: Execution of administrative commands or PowerShell scripts by non-admin users or outside of normal usage patterns is suspicious and may indicate compromise. Monitoring command execution logs is essential for detecting such activities.
Multiple Failed Authentication Attempts: A spike in failed login attempts, particularly from the same IP address or user account, suggests brute-force attacks. Patterns of incremental password attempts or frequent retry intervals further indicate the use of automated tools to guess credentials.
Unusual Traffic Patterns: Communication with non-standard ports, unusual IP addresses, or a high volume of traffic through WinRM can suggest malicious activity. Network monitoring tools can help detect and analyze these traffic anomalies.
Excessive Use of WinRM Features: Overuse of remote command execution, PowerShell remoting, or file transfers through WinRM can indicate that an attacker is leveraging the service for lateral movement or data exfiltration. Establishing usage baselines can help identify anomalies in these activities.
Unusual User Accounts: The initiation of WinRM sessions by accounts that do not typically use WinRM or by accounts with elevated privileges can be a sign of unauthorized access. Monitoring for new or unexpected accounts using WinRM can help detect potential threats.
Security Log Tampering: Attempts to disable WinRM logging, modify audit logs, or clear security logs can indicate an attacker is trying to cover their tracks. Such tampering with logs is a red flag and should be investigated immediately.
Example Scenario:
An attacker gains initial access to a user's machine through a phishing email that installs a keylogger. The keylogger captures the user's credentials, which the attacker then uses to connect to critical servers via WinRM. Once inside, the attacker executes PowerShell scripts to escalate privileges, disable security controls, and move laterally within the network. This activity generates multiple failed login attempts, unusual command execution patterns, and abnormal traffic through WinRM, which can be detected by vigilant monitoring and analysis.
Virtual Network Computing (VNC)
How Attackers Use Virtual Network Computing (VNC) to Gain Initial Access
Credential Theft: Attackers often utilize phishing campaigns or malware to steal VNC credentials from users. Malware like keyloggers can capture these credentials directly from infected systems. Additionally, attackers may use credential dumping techniques on compromised machines to extract stored VNC passwords, allowing them to log in as legitimate users.
Brute Force Attacks: Automated tools are frequently used to perform brute force attacks against VNC, systematically trying various username and password combinations until access is achieved. Dictionary attacks, which employ lists of commonly used passwords, are also common in these scenarios.
Exploiting Unsecured VNC Connections: Many VNC implementations allow connections without encryption, making them susceptible to interception by attackers. If VNC sessions are not properly secured, attackers can capture the traffic and gain access to the remote desktop by intercepting session data.
Exploiting Vulnerabilities: Unpatched vulnerabilities in VNC software can be exploited to bypass authentication or escalate privileges. Attackers may leverage these flaws to gain unauthorized access or control over VNC sessions without needing valid credentials.
Session Hijacking: Attackers intercept active VNC sessions through man-in-the-middle (MitM) attacks. By positioning themselves between the user and the VNC server, they can capture session tokens or cookies and hijack the session, gaining full control without needing to authenticate.
Key Indicators of Compromise for VNC
Unusual Connection Times: VNC connections that occur during non-business hours, holidays, or weekends can be indicative of unauthorized access. Monitoring connection times and correlating them with normal user activity patterns can help identify suspicious access.
New or Unknown IP Addresses: Connections originating from IP addresses or geographical locations not typically associated with the user suggest potential compromise. Implementing IP whitelisting and geofencing can help detect and block unauthorized access attempts.
Multiple Failed Authentication Attempts: A high number of failed login attempts from the same IP address or user account indicates brute force attacks. Patterns of repeated, incremental password attempts further point to automated tools trying to gain access.
High Data Transfer: Sudden increases in data transfer volumes through VNC may signal data exfiltration attempts. Monitoring for unusual data transfer activities and setting baselines for normal usage can help detect these anomalies.
Concurrent Sessions: Multiple active VNC sessions for a single user account, or sessions from different devices simultaneously, can suggest credential sharing or compromise. Tracking session activity and user behavior analytics can aid in identifying unauthorized access.
Unusual Mouse or Keyboard Activity: Mouse movements, keyboard inputs, or screen resolution changes that do not match the user's typical behavior can indicate an attacker is controlling the session. Monitoring VNC session activities for unusual patterns can help detect such intrusions.
Use of Non-Standard VNC Clients: The presence of unusual or non-standard VNC clients connecting to the server may indicate malicious intent. Maintaining an inventory of approved clients and monitoring for the use of unapproved clients can help mitigate this risk.
Example Scenario:
An attacker scans for open VNC ports (typically 5900-5903) on the internet and finds one with no encryption enabled. They intercept the session and capture the credentials, taking control of the remote desktop. Once inside, they perform actions that generate unusual mouse movements and keyboard activity, high data transfers to external IPs, and multiple failed login attempts before finally succeeding. This activity, if monitored, can be detected and flagged as suspicious, prompting further investigation and mitigation actions.
Secure Shell (SSH)
How Attackers Use Secure Shell (SSH) to Gain Initial Access
Credential Theft: Attackers often use phishing campaigns to trick users into revealing their SSH credentials. Additionally, malware like keyloggers can be deployed on compromised systems to capture these credentials as users log in. Attackers may also use credential dumping techniques on compromised machines to extract stored SSH keys and passwords, allowing them to authenticate as legitimate users.
Brute Force Attacks: Automated tools such as Hydra and Medusa are commonly employed to perform brute force attacks against SSH, systematically attempting various username and password combinations until successful access is achieved. These brute force attacks may include dictionary attacks, where attackers use lists of commonly used passwords to guess the correct credentials.
Exploiting Vulnerabilities: Attackers exploit unpatched vulnerabilities in SSH implementations or related software to bypass authentication mechanisms. Such vulnerabilities can allow attackers to gain unauthorized access to the system without needing valid credentials. Keeping SSH software up to date and patched is crucial to mitigating these risks.
SSH Key-Based Attacks: Attackers generate weak keys with easily guessable or breakable algorithms, or exploit poor key management practices. They may also use stolen SSH keys obtained from other compromised systems or backups to gain initial access. Once an attacker has a valid SSH key, they can authenticate without needing a password.
Man-in-the-Middle (MitM) Attacks: In MitM attacks, attackers intercept SSH traffic to capture credentials or session information. This is typically done by gaining access to network infrastructure or using DNS spoofing techniques to redirect SSH connections through an attacker-controlled device. Once intercepted, attackers can eavesdrop on or hijack the session.
Key Indicators of Compromise for SSH
Unusual Login Patterns: Logins occurring during non-business hours, holidays, or weekends can indicate unauthorized access. Similarly, logins from IP addresses or geographical locations not typically associated with the user suggest potential compromise. Monitoring login times and locations is essential for detecting these anomalies.
Multiple Failed Authentication Attempts: A high number of failed login attempts from a single IP address or across multiple user accounts indicates brute force attacks. Patterns of incremental password attempts or frequent retry intervals further suggest the use of automated tools.
Use of New or Unknown SSH Keys: The addition of new SSH keys to user accounts without proper authorization may indicate that an attacker is setting up persistent access. Similarly, usage of SSH keys that are not part of the known key inventory for login attempts is suspicious.
Abnormal Data Transfer: Sudden spikes in data transfer volumes through SSH can suggest data exfiltration attempts. Monitoring for unusual data transfer activities and setting baselines for normal usage can help detect these anomalies.
Anomalous Command Execution: The execution of commands not typically run by the user or commands outside the normal behavior profile can indicate a compromise. Commands that suggest privilege escalation, such as sudo or attempts to modify system configurations, are particularly concerning.
Unexpected SSH Configuration Changes: Unauthorized changes to SSH configuration files, such as sshd_config, that weaken security (like enabling root login or changing port numbers) are red flags. Similarly, modifications to the authorized_keys file without authorization can indicate an attempt to establish unauthorized access.
Man-in-the-Middle Indicators: SSH clients displaying warnings about changed host keys can indicate potential MitM attacks. Additionally, suspicious changes or anomalies in DNS records that could suggest DNS spoofing should be investigated.
Example Scenario:
An attacker uses a phishing campaign to trick a user into revealing their SSH credentials. They log in during off-hours from an unfamiliar IP address. Once inside, the attacker adds a new SSH key to the user's authorized_keys file for persistent access and transfers large volumes of data to an external server. This activity generates unusual login patterns, the addition of an unknown SSH key, and high data transfer volumes, all of which can be detected by vigilant monitoring and analysis. Prompt investigation of these indicators can help mitigate the impact of the breach.
Remote Desktop Protocol (RDP)
How Attackers Use Remote Desktop Protocol (RDP) to Gain Initial Access
Credential Theft: Attackers frequently use phishing campaigns and malware to steal RDP credentials from users. Keyloggers and other types of malware can capture these credentials directly from compromised systems. Additionally, attackers may employ credential dumping tools to extract RDP login information from machines they have already compromised, enabling them to access other systems using the stolen credentials.
Brute Force Attacks: Automated tools are commonly used to perform brute force attacks against RDP, systematically attempting various username and password combinations until successful. Attackers often utilize dictionary attacks, where they use lists of common passwords to guess the correct credentials.
Exploiting Vulnerabilities: Unpatched vulnerabilities in the RDP protocol or related software can be exploited by attackers to bypass authentication mechanisms. For instance, vulnerabilities like the BlueKeep exploit allow attackers to execute code remotely without needing valid credentials, providing them with initial access to the target system.
Misconfigurations: RDP services exposed to the internet without proper network segmentation or weak authentication policies can be easily exploited. Misconfigured settings, such as allowing unlimited login attempts or not enforcing strong passwords, provide attackers with easier entry points.
Session Hijacking: Attackers intercept active RDP sessions through man-in-the-middle (MitM) attacks. By positioning themselves between the user and the RDP server, they can capture session tokens or credentials, allowing them to hijack the session and gain control without needing to authenticate again.
Key Indicators of Compromise for RDP
Unusual Login Times: Logins that occur during non-business hours, holidays, or weekends can indicate unauthorized access. Monitoring login times and correlating them with normal user activity patterns can help identify suspicious access attempts.
Geographical Anomalies: Connections from IP addresses or geographical locations not typically associated with the user suggest potential compromise. Implementing geolocation tracking and IP restrictions can help detect and block unauthorized access attempts.
Multiple Failed Authentication Attempts: A high number of failed login attempts from the same IP address or user account indicates brute force attacks. Patterns of repeated, incremental password attempts further point to the use of automated tools.
High Data Transfer: Sudden spikes in data transfer volumes through RDP may signal data exfiltration attempts. Monitoring for unusual data transfer activities and setting baselines for normal usage can help detect these anomalies.
Concurrent Sessions: Multiple active RDP sessions from the same user account or different devices simultaneously can suggest credential sharing or compromise. Tracking session activity and using user behavior analytics can help identify unauthorized access.
Unusual Software Installations: The installation of software not typically used by the organization or the installation of remote access tools and malware can indicate an attack. Monitoring for unexpected software installations can help detect such activities.
Privilege Escalation Attempts: Commands or actions that suggest an attempt to escalate privileges, such as using administrative tools or modifying system configurations, are suspicious. Monitoring for these actions can help identify potential compromises.
Unusual Access Patterns: Access to systems or files not typically interacted with by the user can suggest an attacker exploring the network. Monitoring access patterns and comparing them to normal behavior can help detect these activities.
Example Scenario:
An attacker uses a tool like Shodan to find exposed RDP services on the internet. They launch a brute force attack and eventually guess a weak password. Once they gain access, they disable security logs, install malware, and use the compromised machine as a launchpad for further attacks within the network. This activity generates multiple failed login attempts, unusual software installations, and abnormal data transfers, all of which can be detected by vigilant monitoring and prompt further investigation.
Windows Event Log Detection
Windows Event IDs
Security Logs
Event ID 4624 (An account was successfully logged on): This event is pivotal for tracking every successful logon attempt. It is crucial to focus on the logon type, which indicates whether the logon was interactive, remote (RDP), or a network logon (such as SMB). For remote services, logon types 3 (Network) and 10 (RemoteInteractive) are particularly significant. Monitoring these logon types can help identify unauthorized access attempts, especially when they occur from unexpected IP addresses or during unusual hours. For instance, suppose an organization primarily operates within the United States and typically sees logon attempts from domestic IP addresses. If a successful logon with Logon Type 10 is detected from an IP address in Eastern Europe at 3 AM local time, this should raise an immediate red flag. The security team should investigate further to determine if this access is legitimate or if it indicates a potential compromise.
Event ID 4625 (An account failed to log on): This event is triggered by failed logon attempts and can indicate brute force attacks, password spraying, or credential stuffing. By analyzing the frequency, pattern, and source of these attempts, security teams can identify malicious activities. For example, if there are multiple failed logon attempts from a single IP address within a short period, it could indicate a brute force attack. Suppose an attacker attempts to log in using various usernames and passwords, generating hundreds of failed logon events within a few minutes. This pattern should prompt an alert, and the source IP should be blocked or investigated further.
Event ID 4648 (A logon was attempted using explicit credentials): This event occurs when a user or process uses explicit credentials to log on to another account, which can be a sign of lateral movement or privilege escalation attempts using stolen credentials. For instance, if a regular user account suddenly attempts to use explicit credentials to access a domain admin account, this should be flagged for investigation. This could indicate that the regular user's credentials have been compromised and are being used to escalate privileges within the network.
Event ID 4776 (The computer attempted to validate the credentials for an account): This event is essential for detecting the use of compromised credentials. It is often seen in conjunction with other authentication events. For example, frequent attempts to validate credentials from a single IP address could indicate a password spraying attack. If an attacker tries to validate multiple usernames with a common password across different systems, generating numerous Event ID 4776 logs, this should trigger an alert for potential credential abuse.
Remote Desktop Services Logs
Event ID 1149 (User authentication succeeded): This event is logged when a user successfully authenticates to an RDP session. It is crucial for detecting unauthorized RDP access. For example, if an employee who typically works from the office suddenly authenticates to an RDP session from an IP address in a different country, this should be investigated. This may indicate that the user's credentials have been compromised and are being used for unauthorized remote access.
Event ID 1152 and 1155 (Session reconnection and disconnection): These events help track user behavior patterns and detect anomalies in typical usage. For instance, if there are frequent session reconnections or disconnections during off-hours, this could indicate unauthorized access attempts or potential session hijacking. Suppose an RDP session is repeatedly disconnected and reconnected late at night when the user is not expected to be working. This pattern should be flagged for further investigation.
Application and Services Logs
Event ID 5156 (Windows Filtering Platform has permitted a connection): By monitoring this event, security teams can track allowed connections to services like RDP and VPN. Anomalies might include connections from unexpected countries or VPNs known for being used by attackers. For example, if a connection is permitted on port 3389 (RDP) from an IP address in a foreign country where the organization has no presence, this should be investigated. This could indicate an unauthorized remote access attempt.
Event ID 5158 (Windows Filtering Platform has blocked a connection): While this event indicates that a connection attempt was denied, it can still be valuable for detecting scanning activities or attempted breaches from known malicious IP addresses. For instance, if there are multiple blocked connection attempts from the same IP address, this could indicate a reconnaissance attempt by an attacker. If an attacker is scanning for open ports and services, generating numerous Event ID 5158 logs, this should prompt an investigation into the source IP.
Event ID 7045 (A new service was installed): The installation of a new service, especially if it's not part of standard operations, can be a sign of malware or an attacker establishing persistence. Monitoring this event is crucial for detecting unauthorized service installations. For example, if a new remote access tool is installed on a critical server during off-hours, this should be flagged for investigation. This could indicate that an attacker is attempting to establish a backdoor for persistent access.
Sysmon Event IDs
Event ID 1 (Process creation): This event logs every process creation, including command-line arguments. Security teams should look for unusual processes associated with remote services, such as VPN or RDP clients starting at odd hours or with suspicious parameters. For instance, if mstsc.exe (RDP client) is launched with unusual command-line arguments or during off-hours, this should be investigated. This could indicate unauthorized remote access or an attacker attempting to establish a remote session.
Event ID 2 (A file was created): Monitoring for file creation in system directories or user profiles can reveal the presence of dropper malware or tools used for remote access. This can be particularly relevant when files are created by processes that are not typically associated with file I/O. For example, if a new executable file is created in the Windows system directory by a remote access tool, this should be flagged for investigation. This could indicate that an attacker is attempting to install malware or a backdoor on the system.
Event ID 3 (Network connection): Sysmon provides detailed information about network connections, including source and destination IP addresses, ports, and process information. Unusual outbound connections to remote service ports can indicate data exfiltration or C2 communications. For example, if a critical server establishes a network connection to an unknown IP address on port 22 (SSH), this should be investigated. This could indicate unauthorized remote access or an attacker establishing a C2 channel.
Event ID 5 (Process terminated): While process termination is normal in many cases, a high rate of terminations or the termination of security-related processes can indicate an adversary shutting down tools or clearing tracks. For instance, if antivirus or logging processes are terminated during a remote session, this should be flagged for investigation. This could indicate that an attacker is attempting to evade detection by disabling security tools.
Event ID 7 (Image loaded): This event logs every DLL or image file loaded into a process. It's useful for detecting DLL injection or side-loading attacks, which are common techniques used to maintain persistence or elevate privileges. For example, if a suspicious DLL is loaded into a remote access tool's process, this should be investigated. This could indicate an attempt to inject malicious code into the process.
Event ID 10 (Process accessed a file): Access to sensitive files, such as SSH or RDP configuration files, can indicate reconnaissance activities. Monitoring this event can help detect unauthorized access or modifications to critical files. For instance, if an unauthorized process accesses RDP configuration files, this should be flagged for investigation. This could indicate an attempt to modify remote access settings.
Event ID 11 (Registry value set): Changes to registry keys that configure remote services, such as RDP settings or authentication configurations, can be a sign of an attacker preparing for lateral movement or persistence. For example, if registry keys that enable RDP are modified, this should be investigated. This could indicate an attempt to enable remote access on a compromised system.
Event ID 12 (Registry key created): The creation of new registry keys, especially those related to startup or service management, can be indicative of an attacker establishing a foothold on the system. For instance, if a registry key is created to enable a new remote access service, this should be flagged for investigation. This could indicate that an attacker is attempting to establish persistence on the system.
Event ID 13 (Registry key deleted): Deletion of registry keys, particularly those associated with security or auditing, can be an attempt to disable system defenses or remove evidence of compromise. For example, if registry keys related to logging or antivirus settings are deleted, this should be investigated. This could indicate an attempt to evade detection by disabling security measures.
Event ID 17 (Pipe Created): Named pipes are used for inter-process communication (IPC) and can be exploited by attackers for lateral movement or to establish a C2 channel. Monitoring for the creation of unusual pipes can help detect these activities. For instance, if a named pipe is created by a remote access tool, this should be flagged for investigation. This could indicate an attempt to establish a covert communication channel.
Event ID 18 (Pipe Connected): Connections to named pipes from unexpected processes or remote systems can indicate data transfer or command execution as part of a broader attack. For example, if an unauthorized process connects to a named pipe, this should be investigated. This could indicate lateral movement or data exfiltration.
Event ID 19 (Pipe Disconnected): Rapid disconnections from named pipes can be a sign of beaconing behavior, where an infected system communicates with a C2 server at regular intervals. For instance, if a remote access tool frequently disconnects from a named pipe, this should be flagged for investigation. This could indicate ongoing C2 communication.
Event ID 22 (DNS query): Monitoring DNS queries can help detect attempts to resolve domains associated with C2 servers or malicious infrastructure. For example, if DNS queries are made for known malicious domains or domains associated with remote access tools, this should be investigated. This could indicate an attempt to establish a connection to a C2 server.
Last updated