{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rdp-shadowing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","Remote Desktop Services"],"_cs_severities":["high"],"_cs_tags":["lateral-movement","rdp-shadowing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eRemote Desktop Shadowing is a feature intended for legitimate administrative purposes, allowing administrators to view or control active RDP sessions for support and troubleshooting. However, adversaries can abuse this feature to monitor or hijack user sessions without consent, leading to unauthorized access and data compromise. This activity is detected by monitoring for modifications to the RDP Shadow registry settings and the execution of specific processes linked to shadowing, such as \u0026quot;RdpSaUacHelper.exe\u0026quot;, \u0026quot;RdpSaProxy.exe\u0026quot;, and \u0026quot;mstsc.exe\u0026quot; with the \u0026quot;/shadow:*\u0026quot; argument. The rule identifies suspicious modifications to RDP Shadow registry settings, specifically changes in \u0026quot;HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow\u0026quot;, and the execution of associated processes by \u0026quot;svchost.exe\u0026quot;. This activity can originate from internal or external actors and has been observed in various attacks aimed at lateral movement and data theft. Defenders should prioritize detection and prevention of RDP shadowing to prevent unauthorized access and session hijacking.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the RDP Shadow registry key \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow\u003c/code\u003e to enable shadowing. This may involve setting the value to \u0026quot;1\u0026quot;, \u0026quot;2\u0026quot;, \u0026quot;3\u0026quot;, or \u0026quot;4\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esvchost.exe\u003c/code\u003e to launch \u003ccode\u003eRdpSaUacHelper.exe\u003c/code\u003e or \u003ccode\u003eRdpSaProxy.exe\u003c/code\u003e to initiate the shadowing session.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker directly executes \u003ccode\u003emstsc.exe\u003c/code\u003e with the \u003ccode\u003e/shadow:\u0026lt;session ID\u0026gt;\u003c/code\u003e argument to target a specific RDP session.\u003c/li\u003e\n\u003cli\u003eThe compromised host connects to the target RDP session, allowing the attacker to view or control the user's session.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the user's activity, captures sensitive information, or performs malicious actions within the compromised session.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised session to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RDP shadowing allows an attacker to gain unauthorized access to sensitive information displayed on the user's screen. This can include credentials, financial data, or proprietary information. The attacker can also control the user's session, potentially leading to data theft, system compromise, or further lateral movement within the network. This can result in significant financial losses, reputational damage, and legal liabilities. The number of affected users depends on the scope of the attack and the number of RDP sessions targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications to \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow\u003c/code\u003e using a registry monitoring tool and deploy the \u0026quot;RDP Shadow Registry Modification\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eAlert on the execution of \u003ccode\u003eRdpSaUacHelper.exe\u003c/code\u003e or \u003ccode\u003eRdpSaProxy.exe\u003c/code\u003e spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e using the \u0026quot;RDP Shadow Process Execution\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e with the \u003ccode\u003e/shadow\u003c/code\u003e argument using the \u0026quot;RDP Shadow MSTSC Execution\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and harden RDP access policies, including multi-factor authentication and limiting RDP access to only necessary users and systems.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for RDP activities across the network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/","summary":"This rule detects potential Remote Desktop Shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session that allows adversaries to spy on or control other user's RDP sessions.","title":"Potential Remote Desktop Shadowing Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/"}],"language":"en","title":"CraftedSignal Threat Feed - Rdp-Shadowing","version":"https://jsonfeed.org/version/1.1"}