{"id":4498,"date":"2022-03-23T22:18:47","date_gmt":"2022-03-23T20:18:47","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=4498"},"modified":"2023-07-27T23:19:29","modified_gmt":"2023-07-27T21:19:29","slug":"rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/","title":{"rendered":"What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products"},"content":{"rendered":"\n
For many years, abuse of Remote Desktop Protection (RDP)<\/strong> has been the most common root cause of all ransomware events. At the moment one of the most common attacks against VMs in Azure\/ AWS or other clouds is based on the RDP brute-force attack.<\/p>\n\n\n\n Last year I published a blog<\/a> about monitoring RDP attacks. This blog is focussing on more in-depth information; what happens after 24+ hours of open RDP ports and what is visible in Defender – Sentinel – Defender for Cloud.<\/p>\n\n\n\n T-Pot is added to this blog for some additional background information around honeypots and the most common malicious activity part of a new T-Pot instance including containers.<\/p>\n\n\n\n In part 2<\/strong> of this blog, I\u2019ll talk about what happened when the machine was online with the username: Administrator<\/em> and password: 123456<\/em> in Microsoft Defender for Endpoint. <\/p>\n\n\n\n Now you may think, securing RDP is a default measure – based on Shodan there are currently more than 4.46M RDP ports (3389) exposed to the public internet. Attackers use automated systems to scan frequently the internet for open ports which are available with only username and password protection.<\/p>\n\n\n\n There is absolutely no reason <\/strong>to put RDP directly on the Internet. There are many solutions available (JIT, Bastion, and other protections which allow easy management). Seriously, don\u2019t open RDP directly to the public internet. It\u2019s only a matter of time before a system is compromised. <\/p>\n\n\n\n It\u2019s extremely easy to find RDP systems online. Scanning for RDP\u2019s default port (TCP\/3389) is easy, but Shodan has already done it for you.<\/p>\n\n\n\n Shodan is a search engine for internet-of-things devices across the internet. Shodan can identify devices on the internet based on several characteristics. Shodan works by crawling the internet based on a full protocol-specific handshake to determine whether a port is open or closed. In case of open RDP ports Shodan takes a screenshot of the discovered open RDP ports.<\/p>\n\n\n\n Shodan search based on port:3389<\/strong> will returns all hits discovered by Shodan. Currently, there are a total of 4.467.430<\/strong> exposed RDP ports (including honeypots) and counting each day.<\/p>\n\n\n\n Top 10 – country<\/strong><\/p>\n\n\n\n This blog post will show you how to use Microsoft Sentinel for detecting brute force attacks based on RDP targeting cloud VMs in Azure, Amazon, or other clouds.<\/p>\n\n\n\n The following is part of the blog:<\/p>\n\n\n\n ++ Bonus content<\/p>\n\n\n\n The Azure Monitoring Agent (AMA) is re-written from the ground and the replacement for the Microsoft Monitoring Agent used by Log Analytics. The Azure Monitor agent uses data collection rules (DCR) to configure data to collect from each agent. Data collection rules enable the manageability of collection settings at scale for different groups of environments or machines, which results in less cost and fewer events.<\/p>\n\n\n\n View the following blog for all information related to AMA, DCA, and the new agent: Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR<\/a> <\/em>Below part is a small summary of the details which are explained before.<\/p>\n\n\n\n Multiple options are available for installing the Azure Monitoring Agent, in this blog post the installation based on Microsoft Sentinel is explained. For more detailed standalone install instructions check the following source: Manage the Azure Monitor agent | Microsoft Docs<\/a><\/p>\n\n\n\n For Azure cloud machines, no extra Azure Arc configuration is required. For enabling the new connector, take the following steps:<\/p>\n\n\n\n Now from the connector page configure the new data sources. Make sure you have read and write permissions. For collecting security events from Windows agents and installing the AMA agent. Start with creating a new data collection rule (DCR). For creating the new rule click the button Create data collection rule<\/strong><\/p>\n\n\n\n The Data Collection Rule is the location where the data should be sent. In this blog, we use the Microsoft Sentinel Log Analytics workspace.<\/p>\n\n\n\n Fill in the following values:<\/p>\n\n\n\n Now select the devices<\/strong> or Resource groups\/ subscriptions<\/strong> and press Apply. <\/strong>After enabling the installation will be automatically installed on these machines. Selection for single virtual machines is possible or complete resource groups\/ subscriptions:<\/p>\n\n\n\n Review the selected resources and go to the tab; collect<\/strong>.<\/p>\n\n\n\n For collecting events select one of the event groups: All Security Events, Common, Minimal, Custom<\/strong>.<\/p>\n\n\n\nRDP attack most frequent attack?<\/h2>\n\n\n\n
<\/figure>\n\n\n\n
Monitoring RDP attacks<\/h2>\n\n\n\n
\n
\n
\n\n\n\nInstall AMA agent – Collect events<\/h2>\n\n\n\n
\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
\n