Announcing RDFP for Zeek - Enabling Client Telemetry to the Remote Desktop Protocol
<p><a href="https://www.linkedin.com/in/annh/">Jeff Atkinson</a>, Principal Security Engineer, Verizon Media<br/></p><p>We are pleased to announce <a href="https://github.com/theparanoids/rdfp">RDFP</a> for Zeek. This project is based off of 0x4D31’s work, the <a href="https://medium.com/@0x4d31/rdp-client-fingerprinting-9e7ac219f7f4">FATT</a> Remote Desktop Client fingerprinting. This technique analyzes client payloads during the RDP negotiation to build a profile of client software. RDFP extends RDP protocol parsing and provides security analysts a method of profiling software used on the network. BlueKeep identified some gaps in visibility spurring us to contribute to <a href="https://github.com/zeek/zeek/commits/master/src/analyzer/protocol/rdp/rdp-protocol.pac">Zeek’s RDP protocol analyzer</a> to extract additional details. Please share your questions and suggestions by <a href="https://github.com/theparanoids/rdfp">filing an issue on Github</a>.</p><p><b>Technical Details</b><br/></p><p>RDFP extracts the following key elements and then generates an MD5 hash. <br/></p><ul><li>Client Core Data</li><li>Client Cluster Data<br/></li><li>Client Security Data<br/></li><li>Client Network Data<br/></li></ul><p>Here is how the RDFP hash is created:<br/></p><p>md5(verMajor;verMinor;clusterFlags;encryptionMethods;extEncMethods;channelDef)<br/></p><p><b>Client Core Data</b><br/></p><p>The first data block handled is Client Core Data. The client major and minor versions are extracted. Other information can be found in this datagram but is more specific to the client configuration and not specific to the client software.<br/></p><p><b>Client Cluster Data</b><br/></p><p>The Client Cluster Data datagram contains the Cluster Flags. These are added in the order they are seen and will provide information about session redirection and other items - ex: if a smart card was used.<br/></p><p><b>Client Security Data</b><br/></p><p>The Client Security Data datagram provides the encryptionMethods and extEncryptionMethods. The encryptionMethods details the key that is used and message authentication code. The extEncryptionMethods is a specific flag designated for French locale.<b> </b><br/></p><p><b><b>Client Network Data</b><br/></b></p><p>The Client Network Data datagram contains the Channel Definition Structure, (Channel_Def). Channel_Def provides configuration information about how the virtual channel with the server should be set up. This datagram provides details on compression, MCS priority, and channel persistence across transactions.<br/></p><p>Here is the example rdfp.log generated by the rdfp.zeek script. The log provides all of the details along with the client rdfp_hash.</p><figure data-orig-width="1184" data-orig-height="588" class="tmblr-full"><img src="https://64.media.tumblr.com/882dbfbd2b270868448384f9d8517275/3334d2e4a87982cd-f4/s540x810/dcab2c702cf384b69b1b86183a4ca83cf9c4401e.png" alt="image" data-orig-width="1184" data-orig-height="588"/></figure><p>This technique works well, but notice that RDP clients can require TLS encryption. Reference the <a href="https://github.com/salesforce/ja3">JA3 fingerprinting</a> technique for TLS traffic analysis. Please refer to <a href="https://medium.com/@0x4d31/rdp-client-fingerprinting-9e7ac219f7f4">Adel’s blog post </a>for additional details and examples about ways to leverage the RDP fingerprinting on the network.<b> </b><br/></p><p><b>Conclusion</b><br/></p><p>Zeek RDFP extends network visibility into client software configurations. Analysts apply logic and detection techniques to these extended fields. Analysts and Engineers can also apply anomaly detection and additional algorithms to profile and alert suspicious network patterns.<br/></p><p>Please share your questions and suggestions by <a href="https://github.com/theparanoids/rdfp/issues">filing an issue on Github</a>.</p><p><b>Additional Reading</b><br/></p><ul><li>John B. Althouse, Jeff Atkinson and Josh Atkins, “<a href="https://github.com/salesforce/ja3">JA3 — a method for profiling SSL/TLS clients</a>”</li><li>Ben Reardon and Adel Karimi, “<a href="https://github.com/salesforce/hassh">HASSH — a profiling method for SSH clients and servers</a>”</li><li>Microsoft Corporation, “<a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5073f4ed-1e93-45e1-b039-6e30c385867c">[MS-RDPBCGR]: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting</a>”<br/></li><li>Adel Karimi, “<a href="https://github.com/0x4D31/fatt">Fingerprint All the Things!</a>”<br/></li><li>Matt Bromiley and Aaron Soto, <a href="https://medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef">“What Happens Before Hello?</a>”<br/></li><li>John Althouse, “<a href="https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967">TLS Fingerprinting with JA3 and JA3S</a>”<br/></li><li><a href="https://zeek.org/2020/06/15/zeek-package-contest-zpc-2-winners-announced/">Zeek Package Contest</a> 3rd Place Winner<br/></li></ul><p><b>Acknowledgments</b><br/></p><p>Special thanks to Adel, #JA3, #HASSH, and W for reminding me there’s always more on the wire.<br/></p>