RogueRDP: A New Approach to Initial Access

With Microsoft’s move to disable VBA macros from the internet by default, gaining initial access for threat actors and red teams has become more challenging. Mike Felch introduces a novel technique called “Rogue RDP” to address this challenge. This method leverages a malicious RDP server, an RDP relay, and a weaponized .RDP connection file, tricking unsuspecting users into connecting and granting partial control of their machine.

Key Insights:

1. Rogue RDP: This technique uses a malicious RDP server to force victims to connect, giving attackers access to files and, under certain conditions, the ability to execute remote code.
2. Weaponizing .RDP Files: .RDP files, which contain settings for Remote Desktop connections, are often allowed by security providers and email clients. This makes them a potential vector for attacks.
3. RDP Attacks: Once a connection is established, attackers can plant malicious payloads in startup locations, search for sensitive data, or even execute code remotely if certain conditions are met.
4. Advanced RDP Tactics: Techniques such as monitoring or altering clipboard contents can be employed. For instance, executing the .RDP file within a virtual machine can capture the clipboard contents of the host computer.
5. Remediation: To counter such attacks, it’s recommended to block .RDP extensions for email, configure GPOs to prevent redirection, and be wary of how .RDP files are delivered.

Mike Felch suggests that while the Rogue RDP technique is powerful, it’s essential to use it responsibly. He also hints at further research in this area, especially regarding RDP COM objects, and encourages readers to stay updated on the topic.

The RogueRDP tool will be released soon. Stay tuned!