Windows RDP: Attack targeting real account names

Question

We have a Windows 2012 R2 server hosted in a datacenter, and we are using RDP for its administration. Automatic updates are enabled.

RDP login is not allowed for the Administrator account, and there are several user accounts with RDP enabled.

I recently found in the logs that there was a brute force attack ongoing that was targeting one of the accounts that actually exists on the server. Looking deeper in the logs, I found that at least 3 accounts have been targeted recently. And this cannot be a coïncidence since the account's names are complex.

I have now restricted the connection to the IPs of my company, and the problem is solved (I know that this should have been done before but we had reasons not to do it).

However, I am still wondering how the attacker(s) managed to get the names of the accounts. Is it a known security flaw of RDP?

EDIT: There are a few elements that I did not mention: This server is a virtual machine, and both this VM and the hypervisor (Windows 2012 R2 also) are behind a router and share the same public IP. RDP is NATed with a public port that is not the default one, and this is the only NATed port. This machine hosts an HTTP server (kestrel) that can only be accessed through a reverse proxy (nginx) installed on another machine.

score 1 · Answer 1 · answered Jan 23 '25 at 10:06

Windows RDP is rather badly designed in that, if an attacker repeatedly uses an existing username in a brute force attack, that user gets locked out and the attacker receives a message saying so. So now the attacker knows they have a real username. The following script can be run as administrator from the task scheduler to limit RDP traffic to known addresses.

@echo off
REM ======================================================
SET _HOME=C:\yourfolder\
REM ======================================================
REM = RDP connections only allowed from these addresses
REM = including a canonical name so you can use dynamic
REM = DNS for your client
REM ======================================================
SET _MYCN=www.homeip.net
SET _IP2=138.1.125.45,192.168.1.0/24
REM ======================================================
echo started > %_HOME%log.txt 2>&1
DATE /T >> %_HOME%log.txt 2>&1
TIME /T >> %_HOME%log.txt 2>&1
IF NOT EXIST %_HOME%oldip.txt ECHO 255.255.255.255 > %_HOME%oldip.txt
echo _____________________________________________ >> %_HOME%log.txt 2>&1
REM ======================================================
REM = look up the IP address of the given canonical name
REM ======================================================
nslookup %_MYCN% > %_HOME%mycn.txt
type %_HOME%mycn.txt >> %_HOME%log.txt 2>&1
echo _____________________________________________ >> %_HOME%log.txt 2>&1
FINDSTR "Address:" %_HOME%mycn.txt > %_HOME%myip1.txt
FOR /F "skip=1 tokens=2" %%G IN (%_HOME%myip1.txt) DO SET _IP1=%%G >> %_HOME%log.txt 2>&1
REM ======================================================
REM strip the trailing space
REM ======================================================
SET "_IP=%_IP1:~0,-1%" >> %_HOME%log.txt 2>&1
echo ip address is [%_IP%] >> %_HOME%log.txt 2>&1
REM ======================================================
REM = compare this address with the previous value
REM ======================================================
FOR /F "tokens=1" %%G IN (%_HOME%oldip.txt) DO SET _OLDIP1=%%G >> %_HOME%log.txt 2>&1
SET "_OLDIP=%_OLDIP1:~0,-1%" >> %_HOME%log.txt 2>&1
echo previous ip address was [%_OLDIP%] >> %_HOME%log.txt 2>&1
echo %_IP% > %_HOME%oldip.txt 2>&1
echo _____________________________________________ >> %_HOME%log.txt 2>&1
IF %_OLDIP% == %_IP% GOTO nothingtodo
REM ======================================================
REM = update the RDP firewall rules
REM ======================================================
echo modify firewall rules >> %_HOME%log.txt 2>&1
echo netsh advfirewall firewall set rule name="Remote Desktop - User Mode (TCP-In)" new remoteip=%_IP%,%_IP2% >> %_HOME%log.txt 2>&1
netsh advfirewall firewall set rule name="Remote Desktop - User Mode (TCP-In)" new remoteip=%_IP%,%_IP2% >> %_HOME%log.txt 2>&1
echo netsh advfirewall firewall set rule name="Remote Desktop - User Mode (UDP-In)" new remoteip=%_IP%,%_IP2% >> %_HOME%log.txt 2>&1
netsh advfirewall firewall set rule name="Remote Desktop - User Mode (UDP-In)" new remoteip=%_IP%,%_IP2% >> %_HOME%log.txt 2>&1
REM ======================================================
GOTO finishline
:nothingtodo
echo IP address has not changed >> %_HOME%log.txt 2>&1
:finishline
echo _____________________________________________ >> %_HOME%log.txt 2>&1
echo finished >> %_HOME%log.txt 2>&1

score 0 · Answer 2 · answered Oct 08 '20 at 15:48

Overview

We cannot know for sure how they got the account names without knowing more details. From my personal experience, I will give you the most common ways bad guys get this info.

Assume Breach

There is a saying in the advanced cyber security field;

There are two types of organizations: those that are breached, and those that don't know that they are breached.

Since you are running an Active Directory Domain Services environment, it is easy for an attacker to dump a list of all account and use an application like BloodHound to chart a course to domain admin.

Easy Access

The bad guy can compromise a single domain joined workstation (may be through phishing or something else) then dump a list of all users and computers from the AD DS instance. You can't easily defend against something like this as this behavior is core to how AD DS works. You can easily dump everything as a standard user, no special or priv permissions are needed to do this.

Identity Perimeter

Security Through Obscurity is no longer an option, back in the early 2000s and 90s, it may have been but with automation and tools like BloodHound, you get the picture.

Security needs to be at the network and identity layer. A network only security perimeter is just a foolish as a Security Through Obscurity. Wired Magazine ran an article on this back in 2013.

An example of a security control that can help breaches at an identity level is multi-factor authentication. There are many more but that is an answer for a different question.

RDP/SMB Account Dumping

To the best of my knowledge, I am not aware of any attacks via RDP or SMB that would dump usernames from a computer as a direct result of the attack. I am aware of attacks that can gain access to the computer as an admin then with those rights they could dump, but not a direct attack that could dump.