Remote Desktop File Opened from Suspicious Path

Attackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\Local\Temp), and Outlook content cache (INetCache\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.

Attack Chain

1. The attacker crafts a spearphishing email containing a malicious RDP file as an attachment.
2. The victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.
3. The victim double-clicks the RDP file, initiating the execution of mstsc.exe.
4. mstsc.exe reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.
5. mstsc.exe attempts to establish a remote desktop connection based on the RDP file’s settings.
6. If the connection is successful, the attacker gains unauthorized access to the remote system.
7. The attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.
8. The final objective could be data exfiltration, ransomware deployment, or establishing persistent access.

Impact

A successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker’s objectives and the scope of the compromised network.

Recommendation

• Deploy the Sigma rule Remote Desktop File Opened from Suspicious Path to your SIEM and tune for your environment, focusing on the specified file paths and mstsc.exe execution.
• Enable process creation logging with command-line arguments to capture the execution of mstsc.exe and the paths of the RDP files being opened.
• Educate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.
• Implement strict email filtering to block or quarantine emails with RDP attachments from external sources.
• Monitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.