cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tauhs
Level 9
Report Inappropriate Content
Message 1 of 9
‎01-30-2015 07:41 AM

Looking for a way to track(log) RDP sessions using HIPS

Does anyone have a custom signature that would do this?

Any feedback appreciated.

0 Kudos
Reply
8 Replies
fitchsoccer342
Level 13
Report Inappropriate Content
Message 2 of 9
‎01-30-2015 08:01 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

I wouldn't use the IPS portion, but rather the firewall. You can easily create a rule to allow or block and log the traffic for TCP/UDP 3389 (RDP).

I'm sure you could do it through the IPS as well, but easier to just create a simple rule rather than write a custom signature..

0 Kudos
Reply
tauhs
Level 9
Report Inappropriate Content
Message 3 of 9
‎01-30-2015 11:13 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

I agree.  The customer, however, posed this question.

They want a way to capture logs or to track using the HIPS signatures. It is not something I have done , or would do, so I reached out to the boards to see if this has popped up elsewhere.

0 Kudos
Reply
epository
Level 10
Report Inappropriate Content
Message 4 of 9
‎02-10-2015 01:44 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

Hmm...the best way would be for an event log correlator for your network, but I imagine this may not be a possibility....although a GPO could fix that right up by telling the eventvwr to forward all 4624 events to someplace via the Subscription service.

Anyhow, besides that, I would put in a permit rule in the firewall for HIPS for port 3389 and log it as an intrusion...it will get caught up in your other Intrusion events, so you will have to create a specific query to grab those HIPS Properties events using Event ID 3702 or Threat name 3702  and IPS Param Name "Local Port" and IPS Param Name "Remote Port".

Let us know if you figure this out...wondering how other RDP tools like Hamachi or the SCCM Remote desktop tool would trigger.....

0 Kudos
Reply
tauhs
Level 9
Report Inappropriate Content
Message 5 of 9
‎02-10-2015 06:06 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

We ended up convincing the customer we could track (log) Using VSE Access Protection much better as it has a mini-HIPS component built in - Here is how & why to use this:

Why use this?

  • Tracking who (Users/Admins/Hackers) are Remote into other hosts is a useful matrix
  • While RDP is normal activity for Admins, it is also how attackers pivot between hosts
  • Allow Analysts to track Admin use of RDP
  • This allows to track User, Computer RDP from and to, and the DTG
  • Using VSE is used due to coverage in the network as all host should have VSE installed

Open Policy Catalog

Select "User-Defined"Rules

click Next

Select "Port Blocking Rule" on the popup

a window will open called "Network Port Access Protection Rule"

Do the steps below within -

1.1.Name

the Rule: IE RDP-WS (or whatever you wish to call it)

2.2.Processes

“mstsc.exe”

3.3.Starting/Ending

Port “3389”

4.4.Check

both In/Out Bound

5.5.Click

Ok & Repeat for Servers

 

***Uncheck
“BLOCK” ***


Reply
epository
Level 10
Report Inappropriate Content
Message 6 of 9
‎02-10-2015 06:58 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

Your right.....smart solution!!

Reply
ansarias
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 9
‎02-10-2015 06:33 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

Do you want to use it for single machine or multiple machines?

0 Kudos
Reply
tauhs
Level 9
Report Inappropriate Content
Message 8 of 9
‎02-10-2015 07:00 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

ansarias, we set it up as a policy, so it would affect ALL machines that currently have VSE installed.

0 Kudos
Reply
ansarias
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 9
‎02-10-2015 08:02 AM

Re: Looking for a way to track(log) RDP sessions using HIPS

Thanks, Agreed on McAfee Access Protection user defined rule is the best option to track on RDP.

Set a report not block so log will be generated in AP logs.

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC