Detecting Malicious RDP Sessions in Volt Typhoon Cyber Attacks

Introduction

The Volt Typhoon cyber attack is a sophisticated threat where adversaries exploit valid credentials to maintain stealthy access to IT and OT networks. One key tactic they employ is using Remote Desktop Protocol (RDP) sessions to move laterally within a compromised system. Detecting these malicious sessions requires careful analysis of both network and host logs.

This article, based on a Tech Talk Tuesday discussion by Dan Gunter from Insane Cyber, explores how threat hunters can identify malicious RDP activity using various logging techniques.

Understanding Volt Typhoon and Its Threat

Volt Typhoon is a nation-state cyber attack campaign, reportedly associated with Chinese-affiliated actors. These adversaries pre-position themselves within networks for long-term espionage and potential future attacks.

Reports indicate that they have been inside certain networks for five or more years, using techniques such as:

• Compromising firewalls
• Extracting admin credentials
• Living off the land (using legitimate system tools for malicious activity)

A critical part of their attack strategy involves RDP sessions with stolen or default credentials, allowing them to move laterally while avoiding detection.

How Attackers Use RDP for Malicious Activity

RDP is a legitimate Windows feature used for remote access. However, attackers exploit it using three types of accounts:

1. Default accounts (e.g., pre-installed maintenance accounts on industrial systems)
2. Service accounts (automated accounts used by applications)
3. Domain or local user accounts (compromised through credential theft)

Since RDP sessions are encrypted, traditional monitoring methods may not immediately detect malicious use. This makes network and host log correlation essential for identifying unauthorized access.

Detecting Malicious RDP Sessions Using Network Logs

Network logs provide critical insights into RDP sessions. The video outlines several ways to detect suspicious activity:

1. Analyzing Zeke Logs (formerly Bro IDS)

• SSL Logs:

  • RDP often runs over SSL (Secure Sockets Layer), which can be monitored using Zeke’s SSL logs.
  • Look for connections on port 3389, the standard RDP port.
  • The subject and issuer fields in SSL certificates often match the hostname of the Windows machine.

• x509 Certificate Logs:

  • These logs store certificate details used in encrypted RDP connections.
  • Cross-referencing SSL logs with x509 logs can help verify suspicious connections.

• Connection Logs (con.log):

  • If RDP runs on an unusual port (not 3389), the connection log can reveal unexpected traffic patterns.
  • Monitor both TCP and UDP traffic related to RDP.

2. Identifying RDP Cookies

• RDP sessions generate unique identifiers known as RDP cookies.
• These cookies often include usernames, helping investigators link activity to specific accounts.
• Even when encrypted, username truncation in logs can hint at suspicious connections.

Detecting Malicious RDP Sessions Using Host Logs

While network logs provide a broad view of RDP activity, host-level logs offer deeper insights into specific user actions.

1. Monitoring Windows Security Logs (Event ID 4624)

• Event ID 4624 (Login Event) is a built-in Windows security log that tracks successful logins.
• Specifically, look for:
  
  • Type 10 (Remote Interactive Login): Indicates a session initiated via RDP.
  • Type 12 (Cached Remote Interactive Login): Used in some RDP configurations.
• Reviewing these events helps correlate RDP activity with specific accounts and IP addresses.

2. Using Sysmon for Enhanced Visibility

• Sysmon (System Monitor) logs provide deeper insights into process execution and system activity.
• Detecting scheduled tasks or PowerShell executions related to RDP sessions can indicate an attacker’s persistence.

3. Correlating User Behavior

• Does the source IP normally connect to this destination?
• Is the account an admin or a standard user?
• Does the activity align with the organization’s expected login patterns?

By combining these insights, analysts can flag unusual RDP usage and respond quickly.

Best Practices for RDP Security

Preventing unauthorized RDP sessions requires a combination of monitoring, access control, and threat intelligence.

1. Restrict RDP Access

• Limit RDP usage to specific admin accounts.
• Block RDP access from untrusted external IPs.

2. Implement Multi-Factor Authentication (MFA)

• Even if credentials are stolen, MFA adds an additional verification step.

3. Enhance Logging and Monitoring

• Enable advanced logging in Windows and Zeke.
• Use SIEM (Security Information and Event Management) tools to correlate network and host logs.

4. Regularly Audit User Accounts

• Remove unused or default accounts.
• Monitor service accounts for unusual activity.

Conclusion

The Volt Typhoon attack demonstrates how stealthy adversaries can exploit RDP for lateral movement. Detecting these threats requires a multi-layered approach involving network logs, host logs, and behavioral analysis.

By understanding attack techniques and enhancing detection capabilities, organizations can proactively defend against cyber threats and prevent unauthorized access to critical systems.