{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rdp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Sysmon","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike Falcon"],"_cs_severities":["medium"],"_cs_tags":["initial-access","rdp","phishing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\\Local\\Temp), and Outlook content cache (INetCache\\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email containing a malicious RDP file as an attachment.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the RDP file, initiating the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e attempts to establish a remote desktop connection based on the RDP file\u0026rsquo;s settings.\u003c/li\u003e\n\u003cli\u003eIf the connection is successful, the attacker gains unauthorized access to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker\u0026rsquo;s objectives and the scope of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRemote Desktop File Opened from Suspicious Path\u003c/code\u003e to your SIEM and tune for your environment, focusing on the specified file paths and \u003ccode\u003emstsc.exe\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to capture the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and the paths of the RDP files being opened.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.\u003c/li\u003e\n\u003cli\u003eImplement strict email filtering to block or quarantine emails with RDP attachments from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-rdp-file-attachment/","summary":"Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.","title":"Remote Desktop File Opened from Suspicious Path","url":"https://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35245"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["virtualbox","rdp","dos","cve-2026-35245"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35245 is a vulnerability affecting Oracle VM VirtualBox version 7.2.6. This vulnerability resides in the Core component of VirtualBox and can be exploited by unauthenticated attackers with network access to the RDP service. Successful exploitation leads to a denial-of-service (DOS) condition, causing the VirtualBox application to hang or crash. The vulnerability\u0026rsquo;s ease of exploitation makes it a significant threat to systems running vulnerable versions of VirtualBox exposed to untrusted networks. This vulnerability allows an attacker to disrupt virtual machine operations, potentially impacting services relying on the virtualized environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target system running Oracle VM VirtualBox version 7.2.6 with the RDP service exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the target system\u0026rsquo;s RDP port (typically TCP 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted RDP request to the vulnerable VirtualBox instance, exploiting CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eThe malicious RDP request triggers a flaw within the VirtualBox Core component.\u003c/li\u003e\n\u003cli\u003eThe VirtualBox application enters a hung state due to the unhandled exception.\u003c/li\u003e\n\u003cli\u003eAlternatively, the VirtualBox application may crash due to the exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe virtual machines hosted on the affected VirtualBox instance become unavailable.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully causes a denial-of-service (DOS) condition, disrupting VirtualBox operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35245 results in a denial-of-service condition, where the Oracle VM VirtualBox application hangs or crashes. This impacts the availability of virtual machines running on the affected VirtualBox instance, potentially disrupting critical services and applications. The vulnerability affects VirtualBox version 7.2.6 and poses a risk to organizations utilizing this virtualization platform, especially those with exposed RDP services. The CVSS v3.1 base score is 7.5, reflecting the high availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Oracle VM VirtualBox to a version beyond 7.2.6 to patch CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to restrict access to the RDP service, mitigating the risk of external attackers exploiting CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eMonitor RDP connections for suspicious activity, such as connections from unexpected source IPs, to detect potential exploitation attempts targeting CVE-2026-35245.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousRDPConnections\u003c/code\u003e to identify unusual RDP activity that may indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T21:16:40Z","date_published":"2026-04-21T21:16:40Z","id":"/briefs/2026-04-virtualbox-dos/","summary":"An unauthenticated attacker with network access via RDP can exploit CVE-2026-35245 in Oracle VM VirtualBox version 7.2.6 to cause a denial-of-service (DOS) condition.","title":"Oracle VirtualBox Unauthenticated RDP Denial-of-Service Vulnerability (CVE-2026-35245)","url":"https://feed.craftedsignal.io/briefs/2026-04-virtualbox-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["freerdp","vulnerability","rdp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in FreeRDP, a free remote desktop protocol implementation. An unauthenticated remote attacker can exploit these vulnerabilities to achieve several malicious outcomes. While the specific CVEs and technical details of these vulnerabilities are not disclosed in this brief, the potential impact includes arbitrary code execution, denial-of-service (DoS), data manipulation, and information disclosure. FreeRDP is widely used, so these vulnerabilities have a potentially broad impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FreeRDP server exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious RDP request targeting a specific FreeRDP vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable FreeRDP server processes the malicious request.\u003c/li\u003e\n\u003cli\u003eIf the vulnerability is an arbitrary code execution flaw, the attacker injects and executes malicious code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to gain further access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker could manipulate sensitive data or exfiltrate it.\u003c/li\u003e\n\u003cli\u003eThe attacker could cause a denial-of-service condition, disrupting RDP services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these FreeRDP vulnerabilities can lead to a range of severe consequences, including complete system compromise through remote code execution. Data manipulation can corrupt critical information, while data exfiltration can lead to significant financial and reputational damage. Denial-of-service attacks can disrupt business operations and impact user productivity. The scope of impact depends on the specific vulnerabilities exploited and the targeted systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor RDP traffic for anomalous patterns and unexpected data within RDP sessions using a network intrusion detection system.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on RDP connections to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eReview and harden FreeRDP configurations to minimize the attack surface, specifically focusing on disabling unnecessary features.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T08:04:45Z","date_published":"2026-04-21T08:04:45Z","id":"/briefs/2026-04-freerdp-vulns/","summary":"An anonymous remote attacker can exploit multiple vulnerabilities in FreeRDP to potentially execute arbitrary code, cause a denial-of-service condition, manipulate data, disclose confidential information, or perform other unspecified attacks.","title":"Multiple Vulnerabilities in FreeRDP Allow Remote Code Execution and DoS","url":"https://feed.craftedsignal.io/briefs/2026-04-freerdp-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rdp","phishing","initial-access","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e (Remote Desktop Connection) with an RDP file located in suspicious directories on Windows systems. Adversaries may use malicious RDP files delivered via phishing campaigns as an initial access vector. These files, containing connection settings, can be placed in locations such as the Downloads folder, temporary directories, or Outlook\u0026rsquo;s content cache. The rule focuses on detecting RDP files opened from unusual paths, which can signal unauthorized access or malicious activity. The behavior was observed in conjunction with the Midnight Blizzard campaign in October 2024. This detection helps defenders identify potential RDP-based attacks and investigate suspicious user behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email with a malicious RDP file attachment (T1566.001).\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and downloads the RDP file to a common location such as the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded RDP file, initiating the \u003ccode\u003emstsc.exe\u003c/code\u003e process (T1204.002).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emstsc.exe\u003c/code\u003e process attempts to establish a remote connection to a malicious server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker may exploit vulnerabilities in the RDP service or use credential harvesting techniques to gain access to the remote system.\u003c/li\u003e\n\u003cli\u003eUpon successful connection, the attacker performs reconnaissance activities, such as network scanning and user enumeration.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, exploiting additional vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via malicious RDP files can lead to unauthorized access to internal systems, data breaches, and potential ransomware deployment. While the number of victims and targeted sectors is unspecified, the impact can be significant, especially if the compromised systems have access to sensitive data or critical infrastructure. This can result in financial losses, reputational damage, and operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and capture the command-line arguments used to launch the process.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Remote Desktop File Opened from Suspicious Path\u0026rdquo; to your SIEM to detect RDP files opened from suspicious locations.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening RDP files from untrusted sources, especially those received via email.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e from untrusted directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from systems where \u003ccode\u003emstsc.exe\u003c/code\u003e has been executed to identify suspicious remote connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T21:38:09Z","date_published":"2026-04-20T21:38:09Z","id":"/briefs/2024-11-suspicious-rdp/","summary":"This rule identifies attempts to open a remote desktop file from suspicious paths, indicative of adversaries abusing RDP files for initial access via phishing.","title":"Suspicious RDP File Execution","url":"https://feed.craftedsignal.io/briefs/2024-11-suspicious-rdp/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-26151"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-26151","rdp","spoofing","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26151 is a security vulnerability affecting Windows Remote Desktop (RDP). The vulnerability stems from an insufficient UI warning mechanism when dangerous operations are about to be performed within an RDP session. An attacker could potentially exploit this to spoof legitimate actions or elements within the RDP interface, misleading the user into performing unintended actions. This vulnerability could be exploited by an attacker positioned on the same network as the victim, or through other means of network access. Successful exploitation could lead to information disclosure, unauthorized access, or other forms of compromise, depending on the specific actions spoofed. The vulnerability has a CVSS v3.1 score of 7.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains network access to a system that has an active RDP connection or will have an RDP connection in the future.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their network position to intercept and manipulate RDP traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-26151 to inject spoofed UI elements into the RDP session.\u003c/li\u003e\n\u003cli\u003eThe victim, unaware of the spoofed UI, interacts with the malicious elements.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spoofed UI to trick the user into performing unintended actions, such as providing credentials or running malicious commands.\u003c/li\u003e\n\u003cli\u003eIf credentials were stolen the attacker authenticates using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems on the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, deploying ransomware, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26151 could allow an attacker to perform spoofing attacks via manipulated UI elements within the Remote Desktop session. This could lead to unauthorized access to sensitive information, credential theft, or the execution of arbitrary commands on the remote system. Depending on the compromised system\u0026rsquo;s role and privileges, this could potentially lead to wider compromise within the organization\u0026rsquo;s network. The impact can range from data breaches to system downtime and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-26151 as detailed in \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious RDP Clipbard Activity\u0026rdquo; to detect potential data exfiltration attempts via the clipboard during RDP sessions.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalies associated with RDP connections, such as unexpected data transfers or connections from unusual source IPs, to complement the remediation of CVE-2026-26151.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-rdp-spoofing/","summary":"CVE-2026-26151 is a spoofing vulnerability in Windows Remote Desktop due to an insufficient UI warning for dangerous operations, allowing an unauthorized attacker to perform spoofing over a network.","title":"Windows Remote Desktop Spoofing Vulnerability (CVE-2026-26151)","url":"https://feed.craftedsignal.io/briefs/2026-04-rdp-spoofing/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33982"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["freerdp","heap-buffer-overflow","cve-2026-33982","rdp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33982 is a heap-buffer-overflow READ vulnerability affecting FreeRDP, a widely used open-source implementation of the Remote Desktop Protocol (RDP). The vulnerability exists in versions prior to 3.24.2 and is located within the \u003ccode\u003ewinpr_aligned_offset_recalloc()\u003c/code\u003e function. Specifically, the flaw occurs due to an out-of-bounds read 24 bytes before the allocated buffer, which could be triggered during specific RDP operations involving memory reallocation. Successful exploitation can lead…\u003c/p\u003e\n","date_modified":"2026-03-30T22:16:19Z","date_published":"2026-03-30T22:16:19Z","id":"/briefs/2026-03-freerdp-heap-overflow/","summary":"A heap-buffer-overflow read vulnerability exists in FreeRDP versions prior to 3.24.2, specifically in the winpr_aligned_offset_recalloc() function, potentially leading to denial of service or information disclosure.","title":"FreeRDP Heap-Buffer-Overflow Vulnerability (CVE-2026-33982)","url":"https://feed.craftedsignal.io/briefs/2026-03-freerdp-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["freerdp","rdp","vulnerability","denial-of-service","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities exist within FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). An unauthenticated, remote attacker can exploit these vulnerabilities to achieve a denial-of-service (DoS) condition on a vulnerable system, or potentially gain the ability to execute arbitrary code. While the specific CVEs are not detailed in this brief, the generic nature of RDP exploitation makes it a high-impact concern. This issue came to light on March 24, 2026, and is a potential risk to any system using FreeRDP if not mitigated by appropriate updates and security practices. Because of the ubiquitous nature of RDP, this poses a significant risk to organizations using affected versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable FreeRDP server exposed to the network.\u003c/li\u003e\n\u003cli\u003eAttacker establishes an RDP connection to the target server on port 3389 (default).\u003c/li\u003e\n\u003cli\u003eAttacker sends a series of crafted RDP packets designed to exploit a specific vulnerability in FreeRDP\u0026rsquo;s processing of session data.\u003c/li\u003e\n\u003cli\u003eIf successful, the exploit triggers a buffer overflow or other memory corruption issue within the FreeRDP process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical program data or inject malicious code into the process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed, granting the attacker control over the FreeRDP session or potentially the entire system, depending on the specific vulnerability and the privileges of the FreeRDP process.\u003c/li\u003e\n\u003cli\u003eAlternatively, the crafted packets could cause the FreeRDP service to crash, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escalate privileges, install malware, or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a denial-of-service condition, disrupting remote access services. More critically, attackers may be able to execute arbitrary code, leading to full system compromise. This could allow attackers to steal sensitive data, install ransomware, or use the compromised system as a foothold for further attacks within the network. The number of potentially affected systems is large, given the widespread use of RDP for remote administration and access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections for suspicious RDP traffic, especially connections originating from unexpected sources; deploy the provided network connection Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of RDP services to only authorized networks and users.\u003c/li\u003e\n\u003cli\u003eAudit RDP usage for anomalies and suspicious activity, paying close attention to unexpected processes launched by RDP sessions; leverage process creation Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnsure FreeRDP is updated to the latest version to patch known vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T10:17:27Z","date_published":"2026-03-24T10:17:27Z","id":"/briefs/2026-03-freerdp-vulns/","summary":"A remote, anonymous attacker can exploit multiple vulnerabilities in FreeRDP to cause a denial of service or potentially execute arbitrary program code.","title":"Multiple Vulnerabilities in FreeRDP Allow for DoS and Potential Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-03-freerdp-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the potential for lateral movement within a network facilitated by an unusual spike in Remote Desktop Protocol (RDP) connections originating from a single source IP address. This activity is detected using an Elastic machine learning job designed to identify anomalies in network connection patterns. The rule \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; leverages this ML job to flag instances where a single host initiates RDP connections to a significantly higher than normal number of distinct destination IPs, potentially indicating that an attacker is attempting to pivot and gain access to additional systems after compromising an initial foothold. This detection mechanism is available in Elastic Security 9.4.0 and later, with the Lateral Movement Detection integration assets installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a host within the network through methods such as phishing, exploiting a vulnerability, or credential theft.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Foothold:\u003c/strong\u003e The attacker establishes a foothold on the compromised system, potentially installing tools for reconnaissance and lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e The attacker performs internal reconnaissance to identify potential target systems accessible via RDP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Connection Attempts:\u003c/strong\u003e The attacker initiates RDP connections to a large number of internal IP addresses from the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The attacker attempts to harvest credentials from the targeted systems to gain further access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker successfully connects to additional systems using RDP, leveraging harvested or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e On newly accessed systems, the attacker attempts to escalate privileges to gain administrative control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e With broader access and elevated privileges, the attacker achieves their objective, which may include data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, this lateral movement can result in widespread compromise across the targeted network. A single compromised host can serve as a launching point to access sensitive data, critical systems, and ultimately, inflict significant damage. The \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; rule aims to detect these lateral movement attempts early, minimizing potential damage. The impact of a successful attack could range from data breaches and financial losses to operational disruption and reputational damage, affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection if using Elastic Defend (versions 8.18 and above), by following the configuration steps outlined in the Elastic documentation to ensure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://docs.elastic.co/en/integrations/lmd\"\u003eofficial Elastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the false positive analysis steps within the detection rule\u0026rsquo;s documentation. Whitelist known administrative IPs or legitimate RDP usage patterns to minimize noise.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface as recommended in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-spike-in-rdp-connections/","summary":"A machine learning job detected a high count of destination IPs establishing RDP connections with a single source IP, indicating potential lateral movement attempts after initial compromise.","title":"Spike in Number of RDP Connections from a Single Source IP","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the detection of unusually long Remote Desktop Protocol (RDP) sessions, identified by a pre-built Elastic machine learning job named \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e. Attackers can abuse RDP for lateral movement and maintaining persistence within a network. Extended RDP sessions can also be used to evade detection mechanisms. This detection leverages machine learning to identify deviations from normal RDP session durations, potentially indicating malicious activity. The detection rule has been available since October 2023, and the corresponding ML job is part of the Lateral Movement Detection integration, requiring Elastic Stack version 9.4.0 or later. The rule depends on the \u003ccode\u003ehost.ip\u003c/code\u003e field to be populated, which may require enabling host IP collection in Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network, possibly through phishing or exploiting a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages valid credentials or exploits a vulnerability to establish an RDP connection to a target system.\u003c/li\u003e\n\u003cli\u003eThe RDP session is maintained for an extended period, significantly longer than typical RDP sessions within the environment.\u003c/li\u003e\n\u003cli\u003eDuring the prolonged RDP session, the attacker performs reconnaissance, gathering information about the network and target systems.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, using the established RDP session as a persistent access point.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or transfers files, potentially installing malware or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe unusually long RDP session duration helps the attacker to remain undetected and evade security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and undetected lateral movement via prolonged RDP sessions can lead to significant data breaches, system compromise, and financial loss. The impact includes potential theft of sensitive information, disruption of business operations, and reputational damage. If an adversary establishes a persistent foothold via RDP, they can maintain long-term access to the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure \u003ccode\u003ehost.ip\u003c/code\u003e field is populated by enabling host IP collection if using Elastic Defend versions 8.18 and above, as described in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall and configure the Lateral Movement Detection integration in Kibana as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e by adjusting the \u003ccode\u003eanomaly_threshold\u003c/code\u003e based on your environment and RDP usage patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate triggered alerts from the \u0026ldquo;High Mean of RDP Session Duration\u0026rdquo; rule following the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003etriage and analysis guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Windows RDP process events collected by the \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e integration for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T18:10:00Z","date_published":"2024-01-24T18:10:00Z","id":"/briefs/2024-01-high-mean-rdp-session/","summary":"A machine learning job detected an unusually high mean of RDP session duration, indicative of potential lateral movement or persistent access attempts by adversaries abusing RDP.","title":"Unusually High Mean of RDP Session Duration Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-high-mean-rdp-session/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-0708"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["command-and-control","lateral-movement","initial-access","rdp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRemote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible RDP service.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).\u003c/li\u003e\n\u003cli\u003eUpon successful authentication or exploitation, the attacker gains remote access to the targeted system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).\u003c/li\u003e\n\u003cli\u003eThe attacker gathers sensitive data from internal systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data to an external server or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;RDP (Remote Desktop Protocol) from the Internet\u0026rdquo; Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.\u003c/li\u003e\n\u003cli\u003eReview firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.\u003c/li\u003e\n\u003cli\u003eEnable and monitor network traffic logs (category: \u003ccode\u003enetwork_traffic\u003c/code\u003e, product: \u003ccode\u003ewindows|linux|macos\u003c/code\u003e) to provide data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential RDP compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-rdp-internet/","summary":"This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.","title":"RDP (Remote Desktop Protocol) from the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-internet/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Access Firewall","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["rdp","bruteforce","credential-access","windows","network"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker scans the network to identify systems with open RDP ports (TCP 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.\u003c/li\u003e\n\u003cli\u003eSysmon logs the network connections with Event ID 3.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to attempt connections, typically exceeding 10 attempts within an hour.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains unauthorized access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure network traffic data is populating the Network_Traffic data model to enable the provided search query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRDP Bruteforce via Network Traffic\u003c/code\u003e to detect brute force attempts based on network connection patterns.\u003c/li\u003e\n\u003cli\u003eAdjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate source IPs identified by the detection rule as potential attackers.\u003c/li\u003e\n\u003cli\u003eMonitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.\u003c/li\u003e\n\u003cli\u003eReview the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rdp-bruteforce/","summary":"This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.","title":"Windows Remote Desktop Network Bruteforce Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-evasion","rdp","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may enable Remote Desktop Protocol (RDP) to facilitate lateral movement within a compromised network. By modifying the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key to a value of \u003ccode\u003e0\u003c/code\u003e, attackers can enable remote desktop connections, allowing them to access systems remotely. This technique can be employed using remote registry manipulation or tools like PsExec. The modification of the registry key is a common tactic used by ransomware operators and other threat actors to gain unauthorized access to victim servers. This activity can be performed to enable remote access for initial access or to regain access after persistence mechanisms have failed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like PsExec or leverages remote registry modification capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key, setting its value to \u003ccode\u003e0\u003c/code\u003e. This key is typically located in \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s RDP service is enabled or re-enabled as a result of the registry change.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to the now-enabled RDP service using valid or brute-forced credentials.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains interactive access to the system via RDP.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, elevates privileges, and moves laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware, exfiltrates data, or achieves other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key allows unauthorized remote access to systems, potentially leading to lateral movement, data theft, or ransomware deployment. Organizations could suffer significant financial losses, reputational damage, and operational disruption. The scope of the impact depends on the attacker\u0026rsquo;s objectives and the level of access they gain within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;RDP Enabled via Registry\u0026rdquo; to detect modifications to the \u003ccode\u003efDenyTSConnections\u003c/code\u003e registry key (rules).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious use of \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys related to RDP (rules).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewall rules to restrict RDP traffic to authorized hosts (overview).\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to users and ensure the principle of least privilege is enforced (overview).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications (setup).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to registry modifications on critical systems (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rdp-registry-enabled/","summary":"An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.","title":"RDP Enabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-registry-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Firewall","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","windows","netsh","rdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can leverage the native Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh\u003c/code\u003e command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RDP connection to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to disable or modify security tools to further evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enetsh.exe\u003c/code\u003e executing with arguments related to enabling inbound RDP traffic using the \u0026ldquo;Remote Desktop Enabled in Windows Firewall by Netsh\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to modify firewall rules related to RDP.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview existing firewall rules and remove any unnecessary or overly permissive rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging for enhanced visibility into process execution events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-netsh-rdp-enable/","summary":"Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.","title":"Netsh Used to Enable Remote Desktop Protocol (RDP) in Windows Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/"}],"language":"en","title":"CraftedSignal Threat Feed — Rdp","version":"https://jsonfeed.org/version/1.1"}