Microsoft Unveils Ways To Detect Compromised Devices In Your Organization

Microsoft has announced a new way to spot potentially hacked machines in your organization. 

Analysts may now easily identify, examine, and search for suspicious interactive processes running on “hidden desktops” using Defender for Endpoint’s “DesktopName” field.  


These days, remote desktop protocol (RDP) compromise usage has reached record highs, and ransomware operations are still expanding, making it even more crucial to give analysts complete visibility into potentially malicious RDP session activity.

Because Defender for Endpoint can identify malicious use of hidden desktops, administrators can stay ahead of the constantly evolving threat landscape. 

Overview Of Remote Desktop Protocol (RDP) Compromise

Windows Stations And ‘hidden desktops’ 

Typically, windows only permit one remote RDP session by default, which might lead to noticeable conflict when the attacker and the authorized user compete for interaction on the same device.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

In the first method, attackers take advantage of the emergence of additional “hidden desktop” objects to get interactive control independently of the interfaces shown on, say, the active desktop that the user is now using.

According to Microsoft, this technique allows a legitimate user to be unaware that the attacker is using their computer in the background as they continue to communicate with it.  

Attackers target a Windows user session that can be assigned with several Windows Station objects to carry out this hack. As only one Windows Station object may be interactive at a time, most services that use other Window Stations are not interactive. 

The hVNC Technique

Hidden virtual network computing, or hVNC, is a type of virtual network computing (VNC) that uses a Windows feature that permits the existence of numerous interactive desktops in a single user session. 

The hVNC approach allows attackers to remotely manage events on the targeted device by opening a hidden instance as a virtual desktop in parallel to the user’s current session. 

After that, any activity traces are removed by creating a new Windows desktop.  

Detection With Defender For Endpoint 

Defender for Endpoint’s enhanced detection capabilities, an attacker uses a hidden desktop to execute an interactive Powsershell.exe instance.

Defender for Endpoint identifies the execution was unusual

According to Microsoft, you can use an Advanced Hunting query to see every instance of a particular process that is running on a desktop computer that might be abnormal.

Detecting suspicious process

Hence, admins can keep ahead of the ever-changing threat landscape with Defender for Endpoint’s capability to detect malicious use of hidden desktops. 

This feature offers admins more detailed visibility and control over detection, investigation, and hunting in specific edge instances.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.