This video showcases how attackers can take advantage of a very common attack vector, Remote Desktop Protocol (RDP). RDP is a technology which allows users to connect to and interact with a remote computer or server over the internet. While RDP has many uses, a primary use is to facilitate remote working and as such has grown in popularity in recent years with the rise in remote and hybrid working.

Explaining the video

1. Setting the Stage

1. First screen depicts a freely available tool, Kali Linux, which is designed for security researchers and testers and so is considered to have legitimate use cases. Unfortunately, it is also a favourite among attackers.
2. The second screen shows the victim’s system, which in this case is a standard Windows 10 computer.

2. Identify the Perimeter 

1. The attacker’s goal is to identify what is on the victim’s perimeter. They are using an open source tool called Nmap with the goal of determining what the victim’s external attack surface looks like. The attacker sees 3389, which informs them that remote desktop is available on this host.

3. Brute Force

1. The attacker is using a brute forcing tool called Hydra, which is also free and open source. They target common usernames such as “Administrator.” The speed of the tool is evident – the attacker was able to try 120 passwords due to weaknesses in the defender’s defences, namely the fact that group policies were not set. The attacker now has a user, Administrator, and password affiliated with this account.
2. Using an RDP tool, they enter their stolen credentials and remotely connect into the victim’s systems. From here their device now has a remote desktop session in the victim’s system.

4. Disable Antivirus

1. The attacker attempts to download a malicious tool called Mimikatz, but is stopped by Windows Defender. Experienced attackers know to anticipate this and have steps prepared to counteract it. The attacker downloads psexec.exe, which is a completely legitimate administrator tool developed by Microsoft, and a registry file to aide in disabling Defender. The attacker uses PsExec to open up a privileged command prompt running as NT AUTHORITY\SYSTEM. They use this privileged prompt to import a file into the registry to disable antivirus.
2. The attacker attempts to extract the Mimikatz tool again, but is warned that Windows Defender stopped it. They check over the settings and realise it is just going to take a few more seconds to take effect. They verify Windows Defender is disabled.
3. Over the course of the incident the attacker has now escalated from external access to getting into the network and disabling whatever preventive security was in their way.
4. Windows Defender is attempting to encourage a reboot, but the attacker isn’t concerned.
5. The attacker now executes Mimikatz and uses it to retrieve the password of another user logged into the machine.

5. Pivot within the network

1. As witnessed, the attacker started with one user on the network and then they pivot, extending their reach to other users. They tend to go after users that don’t have two-factor authentication enabled.

How could this have been prevented?

If the victim organisation had a Managed Detection and Response (MDR) service in place this attack could have easily been prevented. MDR services can prevent RDP attacks by monitoring network traffic for unusual RDP connection attempts and behavior, as demonstrated as several stages during this infiltration. Using behavioral analysis, machine learning, and threat intelligence, MDR services detect anomalies, unauthorised access, and known attack patterns. In case of an attack, MDR services respond swiftly, isolating compromised systems and assisting with recovery. With 24/7 monitoring, MDR services ensure continuous protection against RDP attacks and other threats.