2

I came across an event on one of my windows servers,
Machine ABC has a successful incoming RDP connection from 192.168.0.16, But the IP of machine ABC is 192.168.0.16.
Is it even possible that a machine can RDP into itself? Any leads as to how this can happen or what could have led to such an event?

Sachin
  • 31
  • 1
  • It should be concerning if you, or another admin, didn't actually use an RDP session; if you did, then what was the real address of the connecting machine? – Shōgun8 May 23 '21 at 16:34
  • 2
    **Is it even possible that a machine can RDP into itself?** - Yes. – joeqwerty May 23 '21 at 17:34
  • @Shōgun8 We did not initiate the RDP connection, I suspect that the machine is compromised. Got some info on this link (https://security.stackexchange.com/questions/211768/windows-rdp-logging-into-itself) - trying to identify the mechanism used here. – Sachin May 24 '21 at 03:55
  • @joeqwerty thanks, could you please elaborate or point me towards articles that gives further details on why someone would setup and use such a connection? – Sachin May 24 '21 at 03:59
  • I have no idea why someone would setup and use such a connection. My point is that it is possible. You'll have to investigate it. – joeqwerty May 24 '21 at 04:22

1 Answers1

0

Well, it's definitely not something one would intentionally do since it serves no purpose. The only reason that would make sense, is if you wanted to hide your remote network address, and connect via some sort of proxy that's running on that machine.

Here is what I would do in your situation:

  1. Install Sysinternals Sysmon and configure it to log all outgoing network connections, which would be event id 3. This will ensure that any process that opens a TCP connection will be logged. This obviously won't work retroactively, but it will work the next time it happens. Generally speaking I would recommend to run Sysmon on all machines that are somewhat critical for security.

  2. Run "netstat -ab -p TCP" and see if there are any suspicious processes running and listening for incoming connections.

  3. Make sure that you have proper auditing setup on that machine so that you can potentially investigate activity. For example: https://system32.eventsentry.com/security/auditing_for_everyone.

  4. NetFlow is something I would also consider activating and collecting. Otherwise you have no clue what's entering and/or leaving your network. If you had NetFlow data, you could correlate network traffic with the RDP events you mentioned.

I would consider installing 3rd party tools as well. EventSentry integrates with Sysmon and can really help with reporting, and also shows you processes listening for network connections. It also flags suspicious IPs if you use the NetFlow feature. You can just download the trial, no need to purchase (and it's cheap for a single host).

I think that should get you on the right track ...

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12