TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Rogue RDP – Revisiting Initial Access Methods

Kassie Kimball · 2022-02-28 · Read original ↗

ATT&CK techniques detected

10 predictions
T1021.001Remote Desktop Protocol
99%
"the outbound port 3389 and then exfil interesting files using pyrdp instead of running enumeration code from my malicious windows server. for more information on the rogue rdp technique, keep an eye out for my wild west hacking fest presentation called “ socially acceptable ways …"
T1021.001Remote Desktop Protocol
98%
"rdp file will need to connect to a server that we control, so that we can interact with the client. most windows servers that have rdp enabled on the internet will not last long before being inundated by threat actors trying to brute force access. to curb this behavior, i suggest…"
T1021.001Remote Desktop Protocol
98%
"rogue rdp – revisiting initial access methods rogue rdp – revisiting initial access methods mike felch / / the hunt for initial access with the default disablement of vba macros originating from the internet, microsoft may be pitching a curveball to threat actors and red teams th…"
T1021.001Remote Desktop Protocol
96%
"block. rdp extensions for email - properly configure the gpo to prevent redirection group policy settings computer configuration \ administrative templates \ windows components \ remote desktop services \ remote desktop session host also, consider the methods in which an. rdp fil…"
T1021.001Remote Desktop Protocol
96%
"- blog / changes - to - file - types - blocked - in - outlook - on - the - web / ba - p / 874451 weaponizing. rdp files next, i needed to determine what i could leverage within an. rdp file for initial access. since the standard executable is microsoft terminal services client ( …"
T1021.001Remote Desktop Protocol
91%
"##irection via the client printer name due to control code dispatching. advanced rdp tactics one cool technique is the ability to monitor and / or plant clipboard contents. when i was working through some testing, i was executing the. rdp file from within a windows virtual machin…"
T1021.001Remote Desktop Protocol
84%
", monitoring the clipboard, and even cloning certificates. i will spare you the implementation details, but if you look at the above image, you will notice numerous protocols, authentication layers, and device redirections that had to be implemented. the protocols include 128 - b…"
T1059.001PowerShell
55%
"registered within windows and their corresponding programs that would launch when executed. to do this, i generated a grid of extensions, file types, and their executable using powershell with the ftype and assoc built - in commands. additionally, i also generated a file with eac…"
T1021.001Remote Desktop Protocol
51%
"the certificate store and sign the. rdp file using a built - in windows utility called rdpsign. exe. there is likely an easier way to do all of this. by signing the. rdp file with your letsencrypt certificate, we now have a safer - looking connection dialogue! rdp attacks with ou…"
T1021.001Remote Desktop Protocol
47%
"- split ' = ' ; " hax " > " hax $ e " ; } as seen in the above screenshot, after randomly clicking files and investigating the launched program, one extension continually jumped out at me … rdp! the beauty ( or danger ) with. rdp files is security providers, email gateways, and e…"

Summary

Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]

The post Rogue RDP – Revisiting Initial Access Methods appeared first on Black Hills Information Security, Inc..