close
close

Microsoft details on how to detect infected devices in your organization

Posted on by darion

Microsoft detects infected devices

Microsoft has announced a new way to detect potentially compromised machines in your organization.

Analysts can now easily identify, investigate, and search for suspicious interactive processes running on “hidden desktops” using the “DesktopName” field in Defender for Endpoint.

Today, Remote Desktop Protocol (RDP) usage is at an all-time high and ransomware operations continue to expand, making it even more important to provide analysts with full visibility into potentially malicious RDP session activity.

Because Defender for Endpoint can identify malicious use of hidden desktops, administrators can stay ahead of the ever-evolving threat landscape.

Remote Desktop Protocol (RDP) violation overview.

Windows Stations and “hidden desktops”

Typically, Windows only allows one remote RDP session by default, which can lead to noticeable conflict when an attacker and an authorized user compete to interact on the same device.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

In the first method, attackers exploit the appearance of additional “hidden desktop” objects to gain interactive control regardless of the interfaces displayed on, say, the active desktop the user is currently using.

According to Microsoft, this technique allows a legitimate user to be unaware that an attacker is using their computer in the background while still communicating with them.

The target of the hacker attack is a Windows user session to which several Windows Station objects can be assigned. Because only one Windows Station object can be interactive at a time, most services that use other Windows Stations are not interactive.

hVNC technique

Hidden virtual network computing (hVNC) is a type of virtual network computing (VNC) that leverages a Windows feature that allows multiple interactive desktops to exist within a single user session.

The hVNC approach allows attackers to remotely manage events on a target device by opening a hidden instance in the form of a virtual desktop in parallel with the user’s current session.

All traces of activity are then removed by creating a new Windows desktop.

Detection with Endpoint Defender

With Defender for Endpoint’s enhanced detection capabilities, an attacker uses a hidden desktop to launch an interactive instance of Powsershell.exe.

Defender for Endpoint states that the execution was unusual

According to Microsoft, the Advanced Hunting query can be used to see any instance of a specific process running on your desktop computer that may be malfunctioning.

Detecting a suspicious process

This allows administrators to stay ahead of the ever-changing threat landscape with Defender for Endpoint’s capabilities to detect malicious use of hidden desktops.

This feature gives administrators more detailed visibility and control over detection, investigation and hunting in specific edge cases.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free