<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rdp-Shadowing - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rdp-shadowing/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rdp-shadowing/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential Remote Desktop Shadowing Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/</link><pubDate>Tue, 02 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-rdp-shadowing/</guid><description>This rule detects potential Remote Desktop Shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session that allows adversaries to spy on or control other user's RDP sessions.</description><content:encoded><![CDATA[<p>Remote Desktop Shadowing is a feature intended for legitimate administrative purposes, allowing administrators to view or control active RDP sessions for support and troubleshooting. However, adversaries can abuse this feature to monitor or hijack user sessions without consent, leading to unauthorized access and data compromise. This activity is detected by monitoring for modifications to the RDP Shadow registry settings and the execution of specific processes linked to shadowing, such as &quot;RdpSaUacHelper.exe&quot;, &quot;RdpSaProxy.exe&quot;, and &quot;mstsc.exe&quot; with the &quot;/shadow:*&quot; argument. The rule identifies suspicious modifications to RDP Shadow registry settings, specifically changes in &quot;HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow&quot;, and the execution of associated processes by &quot;svchost.exe&quot;. This activity can originate from internal or external actors and has been observed in various attacks aimed at lateral movement and data theft. Defenders should prioritize detection and prevention of RDP shadowing to prevent unauthorized access and session hijacking.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the target system through compromised credentials or other means.</li>
<li>The attacker modifies the RDP Shadow registry key <code>HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow</code> to enable shadowing. This may involve setting the value to &quot;1&quot;, &quot;2&quot;, &quot;3&quot;, or &quot;4&quot;.</li>
<li>The attacker uses <code>svchost.exe</code> to launch <code>RdpSaUacHelper.exe</code> or <code>RdpSaProxy.exe</code> to initiate the shadowing session.</li>
<li>Alternatively, the attacker directly executes <code>mstsc.exe</code> with the <code>/shadow:&lt;session ID&gt;</code> argument to target a specific RDP session.</li>
<li>The compromised host connects to the target RDP session, allowing the attacker to view or control the user's session.</li>
<li>The attacker monitors the user's activity, captures sensitive information, or performs malicious actions within the compromised session.</li>
<li>The attacker may use the compromised session to move laterally to other systems on the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful RDP shadowing allows an attacker to gain unauthorized access to sensitive information displayed on the user's screen. This can include credentials, financial data, or proprietary information. The attacker can also control the user's session, potentially leading to data theft, system compromise, or further lateral movement within the network. This can result in significant financial losses, reputational damage, and legal liabilities. The number of affected users depends on the scope of the attack and the number of RDP sessions targeted.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor registry modifications to <code>HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow</code> using a registry monitoring tool and deploy the &quot;RDP Shadow Registry Modification&quot; Sigma rule.</li>
<li>Alert on the execution of <code>RdpSaUacHelper.exe</code> or <code>RdpSaProxy.exe</code> spawned by <code>svchost.exe</code> using the &quot;RDP Shadow Process Execution&quot; Sigma rule.</li>
<li>Monitor for the execution of <code>mstsc.exe</code> with the <code>/shadow</code> argument using the &quot;RDP Shadow MSTSC Execution&quot; Sigma rule.</li>
<li>Review and harden RDP access policies, including multi-factor authentication and limiting RDP access to only necessary users and systems.</li>
<li>Implement enhanced monitoring and logging for RDP activities across the network.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>lateral-movement</category><category>rdp-shadowing</category><category>windows</category></item></channel></rss>