Netsh I p a v l=8001 listena= connectp=3389 c=įor example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. Netsh interface portproxy add v4tov4 listenport=8001 listenaddress= connectport=3389 connectaddress=Įxample Shortened netsh Port Forwarding Command:
Jump desktop vpn windows#
FireEye has observed threat actors using the native Windows Network Shell (netsh) command to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box. Not only is RDP the perfect tool for accessing compromised systems externally, RDP sessions can be daisy chained across multiple systems as a way to move laterally through an environment. RDP tunneling into a compromised environment is one of many access methods typically used by attackers to maintain their presence in an environment. For example, an attacker’s initial system compromise could have been the result of a payload dropped from a phishing email aimed at establishing a foothold into the environment, while simultaneously extracting credentials to escalate privileges. It should be noted that for an attacker to be able to RDP to a system, they must already have access to the system through other means of compromise in order to create or access the necessary tunneling utility. Figure 2: Example of successful RDP tunnel created using Plink Figure 3: Example of successful port forwarding from the attacker C2 server to the victim Since many IT environments either do not perform protocol inspection or do not block SSH communications outbound from their network, attackers such as FIN8 have used Plink to create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command and control (C2) server.Įxample Plink Executable -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389įigure 2 provides an example of a successful RDP tunnel created using Plink, and Figure 3 provides an example of communications being sent through the tunnel using port forwarding from the attacker C2 server. Plink can be used to establish secure shell (SSH) network connections to other systems using arbitrary source and destination ports. Figure 1: Enterprise firewall bypass using RDP and network tunneling with SSH as an example Inbound RDP TunnelingĪ common utility used to tunnel RDP sessions is PuTTY Link, commonly known as Plink.
Once a connection has been established to the remote server through the firewall, the connection can be used as a transport mechanism to send or "tunnel" local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall), as shown in Figure 1. Network tunneling and port forwarding take advantage of firewall "pinholes" (ports not protected by the firewall that allow an application access to a service on a host in the network protected by the firewall) to establish a connection with a remote server blocked by a firewall. Historically, non-exposed systems protected by a firewall and NAT rules were generally considered not to be vulnerable to inbound RDP attempts however, threat actors have increasingly started to subvert these enterprise controls with the use of network tunneling and host-based port forwarding. As a result, FireEye has observed threat actors using native Windows RDP utilities to connect laterally across systems in compromised environments. Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors, which can leave unwanted artifacts on a system. When malware is removed from the equation, intrusions become increasingly difficult to detect. When sophisticated threat actors establish a foothold and acquire ample logon credentials, they may switch from backdoors to using direct RDP sessions for remote access. On the other hand, Remote Desktop Services, and specifically the Remote Desktop Protocol (RDP), offers this same convenience to remote threat actors during targeted system compromises. Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees.
0 kommentar(er)
