Microsoft announces solution to detect suspicious processes running on hidden desktops

  • Home
  • Blog
  • Microsoft announces solution to detect suspicious processes running on hidden desktops
image

Overview

With remote desktop protocol (RDP) compromises on the rise, Microsoft Defender for Endpoint has introduced a new field that can provide analysts with full visibility into potentially malicious RDP session use.

Importance of RDP and RMM

But first, what is RDP and why is it used?

RDP stands for remote desktop protocol and it is used by many organisations as it allows users to take control of a remote computer or virtual machine as if they were in front of the computer in person. This makes it possible to access a desktop, open and edit files, or use applications over a network connection making it practical for those that are travelling or working from home. By performing these actions remotely, it is possible to provide and receive technical support or troubleshooting allowing for network servers to be configured.

While this protocol has its practical uses, adversaries take advantage of the fact that RDP is unfortunately often misconfigured, such as RDP ports being exposed to the internet.

Remote Compromise

Windows only allows one remote RDP session and this can prevent attackers from connecting to a device at the same time as legitimate users. Therefore, some attackers may attempt to use remote monitoring and management (RMM) approaches, such as the two approaches detailed in the blogpost.

Windows Stations

The first approach exploits the fact that Windows user sessions can be assigned with multiple Windows Station objects. Each Windows Station can contain multiple desktop objects and this allows the attacker to create and use their own ‘hidden desktop’, which gives them the ability to control a victims device by using a separate interface that is not visible to the victim. From this hidden desktop, the attacker can monitor the user’s activities, move laterally within the system and exfiltrate data, all while remaining undetected. Furthermore, since the clipboard is shared by all desktops within the window station, the attacker can steal sensitive information, such as credentials from the clipboard.

Hidden Virtual Network Computing (hVNC)

While also relying on the use of hidden desktops, the second approach uses hidden virtual network computing, or hVNC, which is a technology that allows for multiple interactive desktops to exist simultaneously in a single user session. Unlike the previous approach, using hVNC opens a hidden instance as a virtual desktop, which allows the attacker to remotely interact with the victim device making it suitable for advanced persistent threat (APT) campaigns.

Both of these approaches show how hidden desktops can be abused by attackers and highlights the importance of the new ‘DesktopName’ field in Defender for Endpoint. More on this in the How to Protect Yourself section.

Rise in RDP Abuse

A recent adversary report from Sophos found that RDP abuse was involved in 90% of its incident response cases and that ransomware groups often abuse it as an entry point for their attacks.

Recent examples of malware that make use of hidden desktops include Pandora hVNC, Escanor and Xeno RAT (which are open-source and available for attackers to download). Many of these are trojans and have been seen promoted in Google ads, such as LOBSHOT which was distributed via Google ads in 2023 that led to a fake AnyDesk site giving attackers complete control over any device that ran the executable.

How to Protect Yourself

To protect yourself from attacks similar to those described above, we recommend that you take the following steps:


Take control with Defender for Endpoint

Microsoft has showcased how the ‘DesktopName’ field can be used in Defender for Endpoint, such as generating alerts when PowerShell is detected on a hidden desktop. This can detect and prevent attackers who abuse hidden desktops to gain information, or further their attacks.

Defender for Endpoint ‘hidden desktop’ detection capability


Mitigate unauthorised Remote Access

These attacks often prey on misconfiguration, so by ensuring the following steps, you can protect your organisation from unauthorised remote access:

  • - Limit connections to port 3389 to whitelisted IP addresses and specific devices.
  • - Enable automatic Windows updates to ensure patching of RDP vulnerabilities.
  • - Ensure that strong passwords and MFA are mandatory, specifically MFA with number matching as this can help mitigate MFA Bombing/MFA Fatigue attacks.
  • - Enable NLA (Network-Level Authentication) for RDP.

Conclusion

The cyber landscape is constantly changing and it is important to ensure that your organisation is following the trends. Currently, with RDP and RMM compromise on the rise, organisations that are not sufficiently protected can fall victim to command and control, lateral movement, or even ransomware. By implementing Microsoft Defender for Endpoint and making use of the new field, it is possible to detect these hidden desktop attacks and by ensuring you have configured RDP correctly, it is possible to stop unauthorised remote connections to your organisation’s devices and servers.

Bibliography

[1] Microsoft Blogpost

[2] V2 Cloud RDP

[3] Microsoft RDP

[4] Cloudflare RDP

[5] What are RDP attacks and how to mitigate

[6] Sophos Report 2024

[7] Pandora hVNC RAT

[8] Lobshot distributed via google ads:



Would you like to talk to us and find out more about our services?

Please fill in the form below and one of the team will get in touch.