Detect suspicious processes running on hidden desktops

With ransomware campaigns continuing to grow, they remain top of mind for security leaders. Across these sophisticated cyberattacks, the use of () compromise has reached record levels, making it even more critical to provide analysts with full visibility into potentially malicious RDP session use.  


That's why today we are excited to announce a new way to identify potentially compromised devices in your organization via the new ‘DesktopName' field in for Endpoint, which enables analysts to easily detect, investigate, and hunt for suspicious interactive process executed on so called ‘hidden desktops'.  


The importance to RDP 
A remote desktop session over RDP () provides users with access to connect remotely to endpoints and is often leveraged as the entry point for attackers to access a target machine. RDP however, introduces some undesirable disadvantages for the attacker.  
For example, Windows by default only allows for a single remote RDP session which can cause detectable friction as both the legitimate user and the attacker begin vying for interactivity on the same device. To mitigate this, attackers may opt for other Remote Monitoring and Management (RMM) approaches as described in the examples below. 


Approach A: Windows Stations and ‘hidden desktops' 
The first approach involves attackers leveraging the creation of additional ‘hidden desktop' objects to effectively obtain interactive control, separate from the interfaces displayed on—for example the current active desktop that the user is physically working with. With this method, a legitimate user will continue to interact with their machine, unaware of the attacker's presence in the background.  

For this exploit, attackers focus on a Windows user session that can be assigned with multiple Windows Station objects. Amongst the Windows Station objects, only one can be interactive per session and as such, most services that use other Window Stations are not interactive. Each Windows Station object can contain multiple desktop objects, which when contained within the interactive Window Station object, can display a GUI (Graphical User Interface). It is this interactive GUI where the hidden desktop exploit takes place.  

There are other tangential advantages for the attacker using this technique, for example, the clipboard in the Window Station context that is shared by all Desktops contained within that Window Station. 


Approach B: The hVNC technique 


Hidden virtual computing or hVNC is a variant of standard VNC (virtual computing) but uses a feature in Windows which allows for multiple interactive desktops to exist simultaneously in a single user session. The hVNC technique enables attackers to remotely control events on the targeted device by opening a hidden instance as a virtual desktop—in parallel to the user's existing session—before wiping any trace of activity by creating a new Windows desktop in place.  
The hVNC technique is commoditized and has been observed in Advanced Persistent Threat campaigns and commodity malware alike—for instance, Cobalt Strike Beacon Object Files leveraging this technique are also readily available. 

While there are many legitimate use cases for hidden desktops that can aid productivity, the two use cases above outline how attackers can potentially abuse them as well. That's why the ability to detect the use of hidden desktops in fully understand a threat campaign can be critical to trace an adversary's steps and ensure they are fully removed from the system.


Advanced Detection with for Endpoint 


Figures 1 and 2 showcase these new detection capabilities in for Endpoint, where an adversary is running an interactive powsershell.exe instance on a hidden desktop. 
Defender for Endpoint has detected the anomalous nature of this execution and raised an alert.

Alert Page Process TreeAlert Page Process Tree

Device TimelineDevice Timeline

The context is also available in Advanced Hunting for custom detection and investigation purposes. 

An Advanced Hunting query can be used to display all instances of a specific process that is run on a Desktop that could be irregular.  We see in the example below, the discovery of an instance of msedge executing suspiciously:  


| where Timestamp > ago(1d)

| where FileName == “msedge.exe”

| extend DesktopName = tolower(todynamic(AdditionalFields).DesktopName)

| where isnotempty(DesktopName)

| where DesktopName != “winsta0default”  // Ignore instances on primary interactive desktop

    and DesktopName !has “sbox”            // Filter out sandbox processes

| project Timestamp, FileName, DesktopName, ProcessCommandLine

| order by Timestamp desc  

Advanced Hunting QueryAdvanced Hunting Query

Comprehensive endpoint security 
The ability to identify malicious use of hidden desktops in Defender for Endpoint gives admins more granular visibility and control over the detection, investigation, and hunting in unique edge cases, and helps them stay one step ahead of the evolving threat landscape. 


For more information:  

Learn more about the hVNC technique:


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.