Campaigns
Glove Stealer: The Infostealer Malware Breaking Chrome's Defenses

Glove Stealer: The Infostealer Malware Breaking Chrome's Defenses

GloveStealerAppBoundEncryptionBypassCookieHijackingInfostealer Malware
Glove Stealer is a sophisticated infostealer malware designed to bypass Google Chrome’s App-Bound Encryption, effectively extracting sensitive cookies and session data. By exploiting browser vulnerabilities, it enables attackers to hijack accounts and steal critical information with ease. Its emergence poses a significant threat to both individuals and organizations, emphasizing the need for heightened browser security measures.

Indicators of Compromise

master.volt-texs.online
master.hdsjfkgsadoghdsiougds.space

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1132.001 - Standard Encoding


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.


T1056.001 - Keylogging


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity

DS0009

Process

OS API Execution

Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.[2] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


T1082 - System Information Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.


T1555 - Credentials from Password Stores


ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys"))

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

Analytic 1 - Commands indicating credential searches.

(index=os sourcetype IN ("Powershell", "linux_secure", "macos_secure") CommandLine IN ("findstr /si password", "findstr /si pass", "grep -r password", "grep -r pass", "grep -r secret", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))

DS0022

File

File Access

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized access to files containing credentials.

index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")((sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="linux_secure" action="open" filepath IN ("/etc/shadow", "/etc/passwd", "/.aws/credentials", "/.ssh/id_rsa")) OR (sourcetype="macos_secure" event_type="open" file_path IN ("/Library/Keychains/", "/Users//Library/Keychains/", "/Users//.ssh/id_rsa")))

DS0009

Process

OS API Execution

Monitor for API calls that may search for common password storage locations to obtain user credentials.



Process Access

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized process access indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=10 TargetImage IN ("lsass.exe", "securityd", "ssh-agent", "gpg-agent") OR EventCode=11 TargetObject IN ("password", "creds", "credentials", "secrets", "keychain", ".kdbx", ".pfx", ".pem", ".p12", ".key") OR EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache"))



Process Creation

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.

Analytic 1 - New processes with parameters indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))


T1567 - Exfiltration Over Web Service


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks or other features that could be abused to exfiltrate data.

DS0017

Command

Command Execution

Monitor executed commands and arguments that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0022

File

File Access

Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections to web and cloud services associated with abnormal or non-browser processes.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1555.003 - Credentials from Web Browsers


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.[1]

Analytic 1 - Commands indicating credential searches in web browsers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("sqlite3 logins", "CryptUnprotectData", "security find-internet-password", "sqlcipher logins", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))

DS0022

File

File Access

Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser.

Analytic 1 - Unauthorized access to web browser credential files.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="file_open"((file_path IN ("\AppData\Local\Google\Chrome\User Data\Default\Login Data", "\AppData\Local\Microsoft\Edge\User Data\Default\Login Data", "\AppData\Roaming\Mozilla\Firefox\Profiles\\logins.json") AND Platform="Windows") OR (file_path IN ("/home//.mozilla/firefox//logins.json", "/home//.config/google-chrome/Default/Login Data") AND Platform="Linux") OR (file_path IN ("/Users//Library/Application Support/Google/Chrome/Default/Login Data", "/Users//Library/Application Support/Firefox/Profiles//logins.json") AND Platform="macOS"))

DS0009

Process

OS API Execution

Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.[1]

Analytic 1 - Suspicious API calls related to web browser credential access.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="api_call"(api IN ("CryptUnprotectData", "NSS_Init", "PK11SDR_Decrypt", "SecItemCopyMatching", "SecItemAdd", "SecItemUpdate", "SecItemDelete"))



Process Access

Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

Analytic 1 - Unauthorized process access indicating credential searches in web browsers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("sqlite3 logins", "sqlcipher logins", "db-browser Login Data", "db-browser logins.json", "CryptUnprotectData", "security find-internet-password", "security dump-keychain", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))


T1087 - Account Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

DS0022

File

File Access

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

DS0009

Process

Process Creation

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[10] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


T1083 - File and Directory Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.



Process Creation

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.


T1057 - Process Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.

DS0009

Process

OS API Execution

Monitor for API calls may attempt to get information about running processes on a system.



Process Creation

Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:

  • hostname

  • ipconfig

  • net

  • quser

  • qwinsta

  • sc with flags query, queryex, qc

  • systeminfo

  • tasklist

  • dsquery

  • whoamiNote: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Analytic 1 - Host Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName


T1059.001 - PowerShell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [295] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[296] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe

For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session.

Analytic 1 - Look for unusual PowerShell execution.

sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational| search EventCode=4104| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")| where suspicious_cmds="Yes"

DS0011

Module

Module Load

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4]

Analytic 1 - Processes loading PowerShell assemblies

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\System.Management.Automation.dll", "C:\Windows\System32\powershell.exe")

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as:

net usesc start

Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.

Analytic 1 - Non-interactive Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"

Analytic 2 - Remote Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"

Analytic 3 - Powershell Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName



Process Metadata

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[297]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Script Block Logging Events

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc" OR CommandLine="-ep bypass" OR CommandLine="-noni*")


T1012 - Query Registry


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Analytic 1 - Suspicious Commands

(sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") | WHERE CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%")

DS0009

Process

OS API Execution

Monitor for API calls (such as RegOpenKeyExA) that may interact with the Windows Registry to gather information about the system, configuration, and installed software. OS API calls associated with querying the Windows Registry are RegOpenKeyEx , RegOpenUserClassesRoot, RegQueryValueExA, and RegQueryValueExW. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing). Also monitor for RegOpenUserClassesRoot api to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user. The returned key has a view of the registry that merges the contents of the HKEY_LOCAL_MACHINE\Software\Classes key with the contents of the Software\Classes keys in the user's registry hive.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls.



Process Creation

Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR).

Analytic 1 - Suspicious Processes with Registry keys

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))

Analytic 2 - reg.exe spawned from suspicious cmd.exe

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | WHERE (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")| rename ProcessParentGuid as guid| join type=inner guid[ | search ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")| rename ProcessGuid as guid ]

Analytic 3 - Rare LolBAS command lines

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound | WHERE ProcessCount < LowerBound

DS0024

Windows Registry

Windows Registry Key Access

Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information.

Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy.

Analytic 1 - Suspicious Registry

(sourcetype="WinEventLog:Security" EventCode IN (4663, 4656)) AND ObjectType="Key" | WHERE ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe')


T1071.001 - Web Protocols


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor for web traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1021.001 - Remote Desktop Protocol


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.

Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.

Analytic 1

sourcetype="WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778, 4779)| search LogonType=10 // RDP Interactive Logon| eval is_suspicious=if((user!="expected_users") AND (dest_ip!="expected_servers"), "True", "False")| where is_suspicious="True"



Logon Session Metadata

Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Analytic 1

sourcetype="WinEventLog:Security" EventCode="4624" AND LogonType="10" AND AuthenticationPackageName="Negotiate" AND TargetUserName="Admin*")

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Analytic 1 - Abnormal RDP Network Connections

sourcetype=zeek | search dest_port=3389 // Default RDP port| stats count by src_ip, dest_ip, dest_port| where src_ip!="trusted_ips" AND dest_ip!="internal_servers"



Network Traffic Flow

Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).

The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Remote Desktop can be detected in several ways

  • Network connections to port 3389/tcp (assuming use of the default port)

  • Packet capture analysis

  • Detecting network connections from mstsc.exe

  • Execution of the process rdpclip.exe

  • Runs as the clipboard manager on the RDP target if clipboard sharing is enabled

Analytic 1 - Suspicious RDP

sourcetype=netflow LogonType="10"| search dest_port=3389 // Default RDP port| stats count by src_ip, dest_ip, dest_port| where src_ip!="trusted_ips" AND dest_ip!="internal_servers"

DS0009

Process

Process Creation

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.

Analytic 1 - Unusual processes associated with RDP sessions

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 | search (parent_process="mstsc.exe" OR parent_process="rdpclip.exe")| table _time, host, user, process_name, parent_process, command_line| where process_name!="expected_processes"



Observed Countries250

AD (751)
AE (828)
AF (709)
AG (236)
AI (913)
AL (460)
AM (388)
AO (577)
AQ (112)
AR (372)
AS (503)
AT (735)
AU (648)
AW (987)
AX (428)
AZ (198)
BA (55)
BB (634)
BD (540)
BE (682)
BF (336)
BG (50)
BH (603)
BI (936)
BJ (423)
BL (342)
BM (652)
BN (280)
BO (927)
BQ (646)
BR (411)
BS (421)
BT (552)
BV (18)
BW (528)
BY (735)
BZ (766)
CA (289)
CC (155)
CD (672)
CF (757)
CG (29)
CH (711)
CI (368)
CK (138)
CL (841)
CM (717)
CN (169)
CO (40)
CR (777)
CU (195)
CV (148)
CW (333)
CX (399)
CY (73)
CZ (1)
DE (885)
DJ (535)
DK (121)
DM (580)
DO (379)
DZ (879)
EC (344)
EE (747)
EG (73)
EH (820)
ER (488)
ES (10)
ET (946)
FI (325)
FJ (667)
FK (99)
FM (437)
FO (927)
FR (315)
GA (18)
GB (789)
GD (454)
GE (939)
GF (942)
GG (109)
GH (325)
GI (763)
GL (457)
GM (789)
GN (513)
GP (684)
GQ (148)
GR (212)
GS (71)
GT (364)
GU (253)
GW (448)
GY (664)
HK (68)
HM (37)
HN (226)
HR (158)
HT (691)
HU (740)
ID (732)
IE (376)
IL (8)
IM (198)
IN (397)
IO (457)
IQ (429)
IR (141)
IS (624)
IT (986)
JE (257)
JM (969)
JO (191)
JP (268)
KE (592)
KG (62)
KH (590)
KI (946)
KM (548)
KN (534)
KP (835)
KR (895)
KW (560)
KY (856)
KZ (673)
LA (450)
LB (661)
LC (435)
LI (198)
LK (338)
LR (927)
LS (663)
LT (602)
LU (923)
LV (479)
LY (988)
MA (241)
MC (695)
MD (842)
ME (265)
MF (831)
MG (402)
MH (281)
MK (49)
ML (670)
MM (118)
MN (800)
MO (172)
MP (99)
MQ (132)
MR (176)
MS (57)
MT (782)
MU (389)
MV (449)
MW (684)
MX (216)
MY (100)
MZ (224)
NA (856)
NC (919)
NE (327)
NF (856)
NG (252)
NI (550)
NL (630)
NO (463)
NP (622)
NR (716)
NU (995)
NZ (548)
OM (614)
PA (424)
PE (295)
PF (585)
PG (756)
PH (476)
PK (855)
PL (420)
PM (698)
PN (594)
PR (681)
PS (110)
PT (559)
PW (977)
PY (881)
QA (688)
RE (903)
RO (712)
RS (538)
RU (118)
RW (430)
SA (934)
SB (703)
SC (197)
SD (29)
SE (163)
SG (89)
SH (519)
SI (860)
SJ (662)
SK (807)
SL (525)
SM (222)
SN (899)
SO (521)
SR (562)
SS (348)
ST (322)
SV (856)
SX (335)
SY (990)
SZ (235)
TC (886)
TD (944)
TF (859)
TG (191)
TH (977)
TJ (745)
TK (132)
TL (999)
TM (503)
TN (575)
TO (991)
TR (857)
TT (766)
TV (255)
TW (586)
TZ (762)
UA (584)
UG (624)
UM (902)
US (442)
UY (1)
UZ (914)
VA (862)
VC (753)
VE (621)
VG (100)
VI (517)
VN (432)
VU (970)
WF (105)
WS (329)
XK (334)
YE (331)
YT (254)
ZA (909)
ZM (463)
ZW (103)