cancel
Showing results for 
Search instead for 
Did you mean: 
tauhs
Level 9

Looking for a way to track(log) RDP sessions using HIPS

Does anyone have a custom signature that would do this?

Any feedback appreciated.

0 Kudos
8 Replies
fitchsoccer342
Level 13

Re: Looking for a way to track(log) RDP sessions using HIPS

I wouldn't use the IPS portion, but rather the firewall. You can easily create a rule to allow or block and log the traffic for TCP/UDP 3389 (RDP).

I'm sure you could do it through the IPS as well, but easier to just create a simple rule rather than write a custom signature..

0 Kudos
tauhs
Level 9

Re: Looking for a way to track(log) RDP sessions using HIPS

I agree.  The customer, however, posed this question.

They want a way to capture logs or to track using the HIPS signatures. It is not something I have done , or would do, so I reached out to the boards to see if this has popped up elsewhere.

0 Kudos
epository
Level 10

Re: Looking for a way to track(log) RDP sessions using HIPS

Hmm...the best way would be for an event log correlator for your network, but I imagine this may not be a possibility....although a GPO could fix that right up by telling the eventvwr to forward all 4624 events to someplace via the Subscription service.

Anyhow, besides that, I would put in a permit rule in the firewall for HIPS for port 3389 and log it as an intrusion...it will get caught up in your other Intrusion events, so you will have to create a specific query to grab those HIPS Properties events using Event ID 3702 or Threat name 3702  and IPS Param Name "Local Port" and IPS Param Name "Remote Port".

Let us know if you figure this out...wondering how other RDP tools like Hamachi or the SCCM Remote desktop tool would trigger.....

0 Kudos
tauhs
Level 9

Re: Looking for a way to track(log) RDP sessions using HIPS

We ended up convincing the customer we could track (log) Using VSE Access Protection much better as it has a mini-HIPS component built in - Here is how & why to use this:

Why use this?

  • Tracking who (Users/Admins/Hackers) are Remote into other hosts is a useful matrix
  • While RDP is normal activity for Admins, it is also how attackers pivot between hosts
  • Allow Analysts to track Admin use of RDP
  • This allows to track User, Computer RDP from and to, and the DTG
  • Using VSE is used due to coverage in the network as all host should have VSE installed

Open Policy Catalog

Select "User-Defined"Rules

click Next

Select "Port Blocking Rule" on the popup

a window will open called "Network Port Access Protection Rule"

Do the steps below within -

1.1.Name

the Rule: IE RDP-WS (or whatever you wish to call it)

2.2.Processes

“mstsc.exe”

3.3.Starting/Ending

Port “3389”

4.4.Check

both In/Out Bound

5.5.Click

Ok & Repeat for Servers

 

***Uncheck
“BLOCK” ***


epository
Level 10

Re: Looking for a way to track(log) RDP sessions using HIPS

Your right.....smart solution!!

ansarias
Level 13

Re: Looking for a way to track(log) RDP sessions using HIPS

Do you want to use it for single machine or multiple machines?

0 Kudos
tauhs
Level 9

Re: Looking for a way to track(log) RDP sessions using HIPS

ansarias, we set it up as a policy, so it would affect ALL machines that currently have VSE installed.

0 Kudos
ansarias
Level 13

Re: Looking for a way to track(log) RDP sessions using HIPS

Thanks, Agreed on McAfee Access Protection user defined rule is the best option to track on RDP.

Set a report not block so log will be generated in AP logs.