Attacking Windows using RDP Blue Keep exploit and learning

defence
Bluekeep is a critical Remote Code Execution vulnerability in Microsoft’s RDP service running
on TCP port 3389. It could allow an attacker to execute remote code on a vulnerable machine
that’s running Remote Desktop Protocol (RDP). As the vulnerability is wormable, it spread
rapidly. By sending a specially crafted packet a memory corruption bug is created in the target
machine. The attacker crashes the kernel which causes a blue screen of death on the victim
machine resulting in a Denial of Service (DoS) attack. Due to RDP vulnerability on versions
earlier than windows 8.1. an attacker can also execute remote code execution and by placing
a backdoor on the victim machine, it gets compromised.
Affected machines with this vulnerability:
Windows 7, Windows Server 2008, Windows Vista, and Windows Server 2004 machines with
RDP enabled.
In this exercise, you will learn about the blue keep vulnerability, and its exploitation
resulting in a Denial of Service attack, indicators of compromise, mode of Detection,
mitigation, and prevention technique for this attack.
Indicator of Attack (IOA)
Indicators of attack(IOAs) are some events that could reveal an active attack before indicators
of compromise become visible. It is not always possible to detect Indicators of attack, as the
attackers generally target your machines when you are not available with them.
IOAs disclose the motivations of the attacker and the specific tools used in each process.
Examples of Indicators of Attacks(IOA)
I. Excessive SMTP traffic. Could be evidence of a compromised system being used to
launch DDoS attacks.
II. Malware reinfection within a few minutes of removal. This could be indicative of an
Advanced Persistent Threat.
III. Multiple user logins from different regions. This could be indicative of stolen user
credentials.
IV. Network scans by internal hosts communicating with multiple hosts in a short time
frame, which could reveal an attacker moving laterally within the network.
Indicators of Compromise (IOCs)
Indicators of Compromise (IOC) are pieces of forensic data, such as data found in host-based
log entries or files, that identify potentially malicious activity on a system or network. An IOC
is an indication that can be used to indicate an intrusion or compromise of a host in a network.
Examples of an IOC include unusual network traffic, unusual privileged user account activity,
login anomalies, increases in database read volume, suspicious registry or system file changes,
etc.
IOC can reveal:
A. Tactics, Techniques, and Procedures (TTP) used during a cyberattack.
B. Severity of the event. Event severity is calculated based on the severity weight given in
vulnerabilities.
C. Where to focus incident response and mitigation
 Incident response is an approach to handling security breaches. The aim of incident
response is to identify an attack, contain the damage, and know the root cause of the
incident.
D. Who are the threat actors?
A threat actor also called a malicious actor is an entity that is partially or wholly
responsible for an incident that impacts – or has the potential to impact the security of an
organization.
IOCs are a key source for:
1. Identification of an Advanced Persistent Threat (APT)
2. Indicating something is wrong with the network
3. Forensic identification of crime or attack
4. Understanding how a compromise occurred
5. Testing your system or network for vulnerabilities
6. Watch the Authentication Activity
Example: Anomalies in privileged account activity
Check the number of users created with administrator privilege

Guided Exercise
Checking the Vulnerability of the Windows machine for Bluekeep
vulnerability
You can check your machine for RDP protocol related vulnerabilities using the RDP scan tool.

Testing your machine for Bluekeep vulnerability using RDPScan:

RDPScan is a free tool available to check this vulnerability.
Step1. Download the latest version from the below link
[Link]

Extract the file of rdpscan-windows in the default location.

Run the program from the command line using the following commands:
Scan a single host:
rdpscan [ip_address]
rdpscan [Link]
Scan a range of IP addresses:
rdpscan [start_ip_address]-[end_ip_address]
Scan a network with CIDR notation:
rdpscan [network]/[cidr_notation]
rdpscan [Link]/24
 This command will scan each of the IP addresses to find out if port 3389 is open
and vulnerable.
If a windows machine is vulnerable to blue keep RDP vulnerability, the rdpscan
tool will show status as vulnerable.

Detection of Bluekeep RDP attack (Indicators of Attack):

A. Performing Bluekeep RDP Attack on the Windows machine in your user account

To detect the IoA on your machine for a Bluekeep vulnerability-based attack, you have
to first attack the machine through the following steps.
1. Connect to the kali Linux machine, created by you, using the RDP protocol. Kali Linux
machine is being used as Attacker’s machine.
2. When prompted for the username and password, enter root as username and toor as
password. The root is the administrator user of the machine.
B. Detection of Bluekeep RDP attack

If the attack happens on your machine, the following may be the indicators of the
attack:

1. Blue screen of death: the following screen will be the first visible sign of an RDP
blue keep attack.

2. Using Event Log Viewer

The Windows Event Viewer shows logs of applications and system messages,
including errors, information messages, and warnings. It’s a useful tool for
troubleshooting all kinds of different Windows problems.
 [Link]
viewer-is-and-how-you-can-use-it/
If the blue screen appears several times in the user machine, the user must check
Event Viewer logs because when the attacker runs the exploit script for Bluekeep
vulnerability, it will send the authentication packet, which generates the events
“TerminalServices-RemoteConnectionManager”.
The following steps must be performed to check Event Viewer Logs.
1. Type Event Viewer in the Windows search box.

2. Click on Applications and Services

Logs>Microsoft>Windows>RemoteDesktopServices-
RemoteDesktopSessionManager
3. Click onTerminalServices-RemoteConnectionManager. Expand it and Click on
Operational to find events TerminalServices -RemoteConnectionManager.
The presence of these events ensures the RDP-related attack.

Prevention from the attack:

You can prevent your machines from Blue Keep vulnerability-based attacks using the
following steps.
1. Patch insecure computers.
 2. Block vulnerable ports: Users can also prevent the BlueKeep vulnerability by
blocking port 3389 at firewalls, which is used by the RDP. This port should
especially be blocked if devices and the firewall are facing the external Internet.
3. Disable unnecessary services: Any services that are not required, such as
remote desktop services, should be blocked to prevent potential security gaps
that attackers could exploit.
4. Enable network control: Organizations can enable Network Level
Authentication (NLA), which gives them control of users that connect to their
systems and prevent unauthorized access to their data and resources. This also
helps them block unauthorized users looking to exploit the BlueKeep
vulnerability to attack the business.
5. Educate users: In addition to patching systems, installing the latest software,
and protecting networks, it is also important to be aware of the latest risks.
Users need to ensure they understand the risks they face and can identify the
signs of a potential cyberattack.
Let’s understand these steps in detail.
Step1: If RDP service is not required on the system, disable it as a security best practice
Check the open ports on your windows machine. if port no 3389 is found open, disable
it. This port is used for running RDP (Remote desktop service). you can check it using
the netstat command (run on command prompt), as follows.

Disabling unused and unneeded services helps reduce exposure to security vulnerabilities.
Blocking port, No 3389 in Windows Firewall:
a. Go to Start > Control Panel > Windows Firewall and find Advanced settings on the
left side.
b. Click on Inbound Rules > New rule. Then in the pop-up window, choose Port >
Next >TCP > Specific local ports and type 3389 and go to Next

c. Choose Block the connection > Next. Tick the three checkboxes and click Next.
Specify the name and description and click Finish.
d. Check if rule is created by Properties > Protocols and Ports > Local Port.
Note: RDP service (Port no 3389) must be disabled, only if you do not need it. If you
close port 3389, you will not be able to get access to a remote desktop, either on the
same network or another network. The best solution for this problem is enabling
Network Level Authentication and installing security updates for RDP as mentioned
below.

Step2: Next step to prevent the Blue keep RDP attack is to configure Network Level
Authentication on the machine which offers extra authentication measure and enhance
security so the attacker doesn’t log in easily. To enable Network Level Authentication,
perform the following steps.
a. Go to properties>Advanced system setting
 b. On the Remote tab in the System Properties dialog box on an RD Session
Host server.

▪ Choose the option Allow the connection only from computers running Remote
Desktop with Network Level Authentication (more secure).
After scanning for the vulnerability, the output may be Safe, Vulnerable, or
Unknown.
 Here in this case, it reflects the status as safe.

Step 3: CVE-2019-0708 | Remote Desktop Services Remote Code Execution

Vulnerability security update
a. Go to [Link]
2019-0708where the links are available for the security update packages.

b. Scroll down to the operating system that is in use. In this example, it was Windows
7 64bits.
c. Click on the desired package. In this example, the package used is Windows 7 for
x64-based Systems Service Pack 1 (KB4499164) Monthly Rollup. Make sure it’s
the Monthly Rollup link that is chosen!

d. A new window will open. Select the update for the windows version that window
7 have and press Download.

e. Click on the link that will appear after pressing the Download button:
f. After the download is complete, run it as would run any other setup.

g. Windows appears “Do you want to install the following Windows software
update”. Press Yes and this will initialize the installation setup:
h. At the end of the installation, it will ask to restart the computer, so restart it.
i. After rebooting, to check if the installation was successful, just go to Control Panel
> Windows Updates > View update History (on the left side) and see if the Security
Update for Windows is installed. It should have the current date in the Date
Installed column.
 IMPORTANT!
If the update has been already applied or installed, then windows appear on the
screen informing about it.

Note: To check the hardening of your machine for Blue Keep-based attacks, again perform
the attack on your machine and check for the Indicators of the Attack. if an attack happens,
re-read the manual again and take the steps for hardening the machine against this attack.