888.818.HACK (4225)

RogueRDP: A New Approach to Initial Access

by | Sep 18, 2023 | Tradecraft

With Microsoft’s move to disable VBA macros from the internet by default, gaining initial access for threat actors and red teams has become more challenging. Mike Felch introduces a novel technique called “Rogue RDP” to address this challenge. This method leverages a malicious RDP server, an RDP relay, and a weaponized .RDP connection file, tricking unsuspecting users into connecting and granting partial control of their machine.

Key Insights:

  1. Rogue RDP: This technique uses a malicious RDP server to force victims to connect, giving attackers access to files and, under certain conditions, the ability to execute remote code.
  2. Weaponizing .RDP Files: .RDP files, which contain settings for Remote Desktop connections, are often allowed by security providers and email clients. This makes them a potential vector for attacks.
  3. RDP Attacks: Once a connection is established, attackers can plant malicious payloads in startup locations, search for sensitive data, or even execute code remotely if certain conditions are met.
  4. Advanced RDP Tactics: Techniques such as monitoring or altering clipboard contents can be employed. For instance, executing the .RDP file within a virtual machine can capture the clipboard contents of the host computer.
  5. Remediation: To counter such attacks, it’s recommended to block .RDP extensions for email, configure GPOs to prevent redirection, and be wary of how .RDP files are delivered.

Mike Felch suggests that while the Rogue RDP technique is powerful, it’s essential to use it responsibly. He also hints at further research in this area, especially regarding RDP COM objects, and encourages readers to stay updated on the topic.

The RogueRDP tool will be released soon. Stay tuned!

Related Articles

BSides Orlando 2023

BSides Orlando 2023

Speaker: Mike Felch (@ustayready)Date/Time: 10/7/2023 3:15PMTrack: 1Room: Full Sail Live In the ever-evolving landscape of cloud security, mastering advanced operator tradecraft is important for effectively evaluating the security controls in an AWS environment. This...

Wild West Hackin’ Fest 2023

Wild West Hackin’ Fest 2023

Wild West Hackin’ Fest (WWHF) stands out from typical cybersecurity conferences due to its unique location in Deadwood, South Dakota, a historic town known for its vibrant past involving figures like Wild Bill Hickok and Calamity Jane.