Back in September, Sysmon v12 graced us with the new ability to monitor clipboards. You can read about this new capability in Olaf’s blog. In this blog, I want to focus on how you can use this new capability to detect RDP activity by hands-on keyboard actor families like Human-operated ransomware from your SIEM.
Sysmon generates Event ID 24 if any clipboard change operation is detected. Though, it should be noted that this clipboard change does not include any file copy-paste operation.
Requirements
- In your SIEM, create a list called AUTHORIZED_RDP_HOSTNAMES that contains hostname of devices from where your authorized users will remotely connect from.
- Make sure you have a policy in place that tells users to only initiate RDP connection from their devices that have their hostname listed in AUTHORIZED_RDP_HOSTNAMES.
Scenario
Let’s say a threat actor was successful in logging remotely to an internal workstation of our Enterprise. That actor opened a command prompt and pasted a long command into the terminal. Can the Blue Team detect this?
Let the Hunt Begin
First, we need to keep in mind two cases. The threat actor pasted command from their device to the workstation’s terminal or the actor copied the output of the command from the workstation’s terminal to their device. The event generated by Sysmon is not “symmetrical” for both cases.
For the first case, the log generated by Sysmon is shown below:
Notice how the Image field records rdpclip.exe instead of cmd.exe. This means we cannot know the actual destination process (cmd.exe in our case). Event ID 24 records the user and hostname info which we can use to build up our detection.
Thus, the SIEM query to detect unknown hostname manipulating clipboard during RDP will look like:
EventSource=Sysmon EventID=24 Image="*\rdpclip.exe" -(ClientInfo.Hostname IN AUTHORIZED_RDP_HOSTNAMES)
This alert will be fired in your SIEM as that threat actor’s hostname is not in AUTHORIZED_RDP_HOSTNAMES.
For the second case, the event generated is shown below:
Notice how since we copied the command output from the command prompt, the Image field now records cmd.exe and since we also have the Process GUID info, we can correlate with Event ID 1 (Process Creation) log to get more info about this process.
EventSource=Sysmon EventID=1 ProcessGUID="{fe4dedcb-3ba1-5ff4-6c1c-000000000a00}"
The first thing I would like to look out in the correlated Event ID 1 log is the Integrity level field. If its value is High then we now know that the threat actor has somehow bypassed UAC.
Conclusion
Human-operated ransomware strains like Ryuk heavily utilize RDP during different stages of the attack. The detection method shown in this blog might help to detect such threat actors in action and thus may help to thwart their mission to achieve their objectives.
Always remember – A properly configured Sysmon is a boon for the Blue and a nightmare for the Red.