Investigating HVNC Attacks

Posted on by Leave a comment

Hidden VNC attacks or HVNC are not new. In 2015 Marcus Hutchins wrote this post.

What is this all about? You can programmatically create multiple desktops in windows by calling a kernel function (CreateDesktopA). A desktop is a securable object that contains, for example, windows from applications (more info here). Chrome for example is using a separate desktop for its sandbox (and so is edge now):

Do not confuse those desktop kernel objects with the virtual desktops you can create in your windows session:

(https://github.com/MScholtes/PSVirtualDesktop)

When working with a seperate desktop, an attacker can execute code on a victim’s machine hidden from the user which doesn’t sound that exciting or new but let us have a look on the level of comfort this brings for the attacker.

Let’s take an example  

There are a few code examples you can find on GitHub. Usually, you need to fix some C++ code and then compile your version. Those tools consist of a client and a server. In this case you need to provide a port number when starting the server on the attacker machine:

If you now execute the client.exe on the target machine, an empty window opens on the server from which you can then start defined programs:

This PowerShell runs on the victim’s machine – without their knowledge, but in the context of the user on a different Desktop. Comparing a user initiated and a remote initiated PowerShell process:

If you paid attention to the desktop name associated with the PowerShell process above, you will find that our malware sample here is messing with the same desktop:

Detection Possibilities

What is suspicious here?

  1. The obvious: we have an exe with a bad or no reputation
  2. This exe is talking to IP addresses on the Internet (well, not that suspicious, but in correlation with other events)
  3. If we search in process explorer for the desktop created by our client.exe, we also find other software (powershell.exe) running on that desktop (see screenshot below). To my knowledge this data is not exposed in the telemetry of MDE, so we cannot build detection rules based on that. However, I hope the actual EDR engine is dealing with such kind of information.
  4. Instead of working with the missing telemetry, we can look for executables that are creating well known processes like PowerShell, explorer, IExplore etc.

Transforming the number 2 & 4 into KQL, we can do something like this:

Sure enough, client.exe is in the results:

In bigger environments than my lab you can of course expect more F/Ps with that, so we need to narrow this down with list item number 1:

Which then leads to a fairly good result:

Conclusion

Attacks like these are well-known by EDR providers like Microsoft and in addition are very noisy. From an attacker’s perspective they require to bypass many security countermeasures upfront to be able to run such an attack. When the attacker has established an HVNC channel to the victim’s machine however, this is an extremely comfortable way of proceeding further. The attacker can either use the victim’s machine to pivot further in the network or cloud – or the attacker can steal Access Tokens that contain all they need to establish a session from their own computers, even if they are not compliant.

With attacks like these, attackers are not bound to a certain set of commands from their C2 framework but can even enjoy the full comfort a modern windows desktop offers – they can even start their own explorer session.

You see, it is necessary to do everything to prevent the execution of such tools in the first place.

tagged with , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.