Cool Audit

Spotting Potentially Hacked Machines

Microsoft has announced a new way to spot potentially hacked machines in your organization.

Analysts may now easily identify, examine, and search for suspicious interactive processes running on “hidden desktops” using Defender for Endpoint’s “DesktopName” field.

These days, remote desktop protocol (RDP) compromise usage has reached record highs, and ransomware operations are still expanding, making it even more crucial to give analysts complete visibility into potentially malicious RDP session activity.

Because Defender for Endpoint can identify malicious use of hidden desktops, administrators can stay ahead of the constantly evolving threat landscape.

Overview Of Remote Desktop Protocol (RDP) Compromise

Windows Stations And ‘hidden desktops’ 

Typically, windows only permit one remote RDP session by default, which might lead to noticeable conflict when the attacker and the authorized user compete for interaction on the same device.

In the first method, attackers take advantage of the emergence of additional “hidden desktop” objects to get interactive control independently of the interfaces shown on, say, the active desktop that the user is now using.

According to Microsoft, this technique allows a legitimate user to be unaware that the attacker is using their computer in the background as they continue to communicate with it.

Attackers target a Windows user session that can be assigned with several Windows Station objects to carry out this hack. As only one Windows Station object may be interactive at a time, most services that use other Window Stations are not interactive.

The hVNC Technique

Hidden virtual network computing, or hVNC, is a type of virtual network computing (VNC) that uses a Windows feature that permits the existence of numerous interactive desktops in a single user session.

The hVNC approach allows attackers to remotely manage events on the targeted device by opening a hidden instance as a virtual desktop in parallel to the user’s current session.

After that, any activity traces are removed by creating a new Windows desktop.

Detection With Defender For Endpoint 

Defender for Endpoint’s enhanced detection capabilities, an attacker uses a hidden desktop to execute an interactive Powsershell.exe instance.

According to Microsoft, you can use an Advanced Hunting query to see every instance of a particular process that is running on a desktop computer that might be abnormal.

Hence, admins can keep ahead of the ever-changing threat landscape with Defender for Endpoint’s capability to detect malicious use of hidden desktops.

This feature offers admins more detailed visibility and control over detection, investigation, and hunting in specific edge instances.