Human operators play a significant part in planning, managing, and executing cyber-attacks. During each phase of their operations, they learn and adapt by observing the victims’ networks and leveraging intelligence and social engineering. One of the most common tools human operators use is Remote Desktop Protocol (RDP), which gives attackers not only control, but also Graphical User Interface (GUI) visibility on remote computers. As RDP is such a popular tool in human operated attacks, it allows defenders to use the RDP context as a strong incriminator of suspicious activities. And therefore, detect Indicators of Compromise (IOCs) and act on them.

That’s why today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.  

Remote session information 

The new layer adds 8 extra fields, represented as new columns in Advanced Hunting, expands the schema across various tables. These columns enrich process information by including session details, augmenting the contextual data related to remote activities.

InitiatingProcessSessionId – Windows session ID of the initiating process 
CreatedProcessSessionId – Windows session ID of the created process 
IsInitiatingProcessRemoteSession – Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).  
IsProcessRemoteSession – Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false).  
InitiatingProcessRemoteSessionDeviceName –   Device name of the remote device from which the initiating process’s RDP session was initiated. 
ProcessRemoteSessionDeviceName – Device name of the remote device from which the created process’s RDP session was initiated. 
InitiatingProcessRemoteSessionIP – IP address of the remote device from which the initiating process’s RDP session was initiated. 
ProcessRemoteSessionIP – IP address of the remote device from which the created process’s RDP session was initiated. 

The data will be available in the following tables: 

Table Name 

Initiating process 

Created Process 

DeviceEvents 

Yes 

Yes, where relevant 

DeviceProcessEvents 

Yes 

Yes 

DeviceFileEvents 

Yes 

No 

DeviceImageLoadEvents 

Yes 

No 

DeviceLogonEvents 

Yes 

No 

DeviceNetworkEvents 

Yes 

No 

DeviceRegistryEvents 

Yes 

No 

Detect human-operated ransomware attacks that use RDP 

Defender for Endpoint machine learning models use data from remote sessions to identify patterns of malicious activity. They assess user interactions with devices via RDP by examining more than 100 characteristics and apply a machine learning classifier to determine if the behavior is consistent with hands-on-keyboard-based attacks. 

Image 1: Ransomware attack incident investigation

Detect suspicious RDP sessions 

Another model uses remote session information to identify suspicious remote sessions. Outlined below is an example of a suspect RDP session where harmful tools, commonly used by attackers in ransomware campaigns and other malicious activities, are deployed, setting off a high-severity alert.  

This context is also available in Advanced Hunting for custom detection and investigation purposes.  

An Advanced Hunting query can be used to display all processes initiated by a source IP during an RDP session. This query can be adjusted to fit all the supported tables. 

DeviceProcessEvents 

| where Timestamp >= ago(1d) 

| where IsInitiatingProcessRemoteSession == “True” 

| where InitiatingProcessRemoteSessionIP == “X.X.X.X” // Insert your IP Address here 

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine 

Another query can be used to highlight actions performed remotely by a compromised account. This query can be adjusted to fit all the supported tables. 

DeviceProcessEvents 

| where Timestamp >= ago(7d) 

| where InitiatingProcessAccountSid == “SID” // Insert the compromised account SID here 

| where IsInitiatingProcessRemoteSession == “True” 

| project InitiatingProcessFileName, InitiatingProcessAccountSid, InitiatingProcessCommandLine, FileName, ProcessCommandLine 

You can also hunt for tampering attempts. Conducting this remotely across numerous devices can signal a broad attempt at tampering prior to an attack being launched. 

DeviceRegistryEvents 

| where Timestamp >= ago(7d) 

| where RegistryKey == “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” 

| where RegistryValueName == “DisableAntiSpyware” 

| where RegistryValueType == “Dword” 

| where RegistryValueData == 1 

| where IsInitiatingProcessRemoteSession == true 

Comprehensive endpoint security  
 
The ability to identify malicious use of RDP in Defender for Endpoint gives admins more granular visibility and control over detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape.  

For more information:   

Learn more about Advanced Hunting in Microsoft Defender XDR: Overview – Advanced hunting | Microsoft Learn   

Learn more about Defender for Endpoint: Microsoft Defender for Endpoint | Microsoft Security    

Not a Defender for Endpoint customer? Start a free trial today.  

​Microsoft Tech Community – Latest Blogs –Read More