![]() ![]() To do so, we used the tesseract-ocr OCR solution, which allowed us to go through all the available text combined from the tiles. We have decided to extract all the visible text from the collage created and try to detect suspicious activity based on the extracted text. We thought about leveraging the collage and making the entire analysis process more efficient. It parses Windows RDP cache files (.BIN) into tiles and generates a collage. The pack utilizes BMC-Tools by ANSI, a powerful utility designed specifically for extracting and processing RDP cache files. This playbook simplifies the extraction and analysis process into four steps: Collection of cache files, conversion of these files into images, extraction of readable text from these images, creation of indicators of compromise (IOCs) from the text, and finally, enrichment of these IOCs with additional context for enhanced threat analysis. These files are then processed into a more comprehensible format - tiles are extracted and collaged, and text is extracted from the images.Īn Automated Collection and Forensic Analysis playbook is also part of the RDP Cache Hunting pack to make this process even more efficient. This pack can gather RDP bitmap cache files via different XDR solutions or Remote PowerShell. The RDP Bitmap Cache Hunting Pack Walkthroughįor organizations seeking to tighten their cybersecurity, the RDP Cache Hunting pack offers an advanced solution to detect and analyze potential threats in RDP connections. This is similar to recovering puzzle pieces, which, when correctly assembled, can recreate the picture of a user's actions during an RDP session. The successful exploitation of the RDP cache files will make it possible to recover tiles (Figure 2) of what the user saw during the RDP session and, by putting the tiles back together, potentially discover new elements in an investigation. What's genuinely intriguing for digital forensics is that this cache persists on the client machine, even after the RDP session has been terminated. Each entry stores bitmap data and metadata such as the key, dimensions, and color depth. The bitmap cache consists of several cache entries. This way, the need to retransmit the same images over the network, which can be bandwidth-consuming and slow, is minimized. This process involves storing frequently used images (bitmaps) from the remote host locally on the client machine. RDP has a bitmap caching feature that, when enabled, allows the session to use data already in the local cache files to provide a smoother user experience and reduce network bandwidth. When interacting with the remote server's desktop, all graphical changes must appear on the screen and therefore be transmitted by the server to the client, which, as you can imagine, can generate heavy network traffic. The Potential of RDP Bitmap Cache Forensics RDP's legitimate use for remote access makes it an ideal camouflage, allowing attackers to blend their activities with normal network traffic, making detection considerably more challenging. Once inside, they can move laterally across the network, escalate privileges, deploy ransomware, exfiltrate data, or establish persistent backdoors. ![]() RDP’s top spot is particularly worrisome because it’s a top gateway for ransomware.įurthermore, when focusing on the Unit 42 Incident Response report, the report states that brute-force credential attacks are responsible for 20% of the initial attack vectors in cases Unit 42 investigated, primarily using RDP.įigure 1: Top security issues based on prevalenceĪs mentioned, attackers often conduct brute force attacks to crack weak or reused credentials or exploit unpatched vulnerabilities to gain unauthorized RDP access. Remote Desktop Protocol was the most common security issue among the global enterprises we studied, representing 32% of overall security issues (see Figure 1). ![]() These may range from insider threats (such as employee data theft) to external attacks (such as hackers using RDP sessions to gain unauthorized access to sensitive data).Ĭortex Xpanse’s 2022 Attack Surface Threat Report found RDP to be the most common security issue attackers can find on the global enterprise attack surface. Given the widespread use of RDP, especially in corporate environments, the ability to perform forensic analysis on the RDP bitmap cache can be invaluable in investigating various cyberattacks. Why Should We Pay Close Attention to RDP Forensics? Furthermore, it provides remote display and input capabilities over network connections for Windows-based applications running on a server. The user employs RDP client software, while the other computer must run RDP server software. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection. Introduction: Remote Desktop Protocol (RDP) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |