https://feed.craftedsignal.io/tags/rdp/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:17:05 +0000https://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/Mon, 04 May 2026 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.Attackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\Local\Temp), and Outlook content cache (INetCache\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.

Attack Chain

1. The attacker crafts a spearphishing email containing a malicious RDP file as an attachment.
2. The victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.
3. The victim double-clicks the RDP file, initiating the execution of mstsc.exe.
4. mstsc.exe reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.
5. mstsc.exe attempts to establish a remote desktop connection based on the RDP file’s settings.
6. If the connection is successful, the attacker gains unauthorized access to the remote system.
7. The attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.
8. The final objective could be data exfiltration, ransomware deployment, or establishing persistent access.

Impact

A successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker’s objectives and the scope of the compromised network.

Recommendation

• Deploy the Sigma rule Remote Desktop File Opened from Suspicious Path to your SIEM and tune for your environment, focusing on the specified file paths and mstsc.exe execution.
• Enable process creation logging with command-line arguments to capture the execution of mstsc.exe and the paths of the RDP files being opened.
• Educate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.
• Implement strict email filtering to block or quarantine emails with RDP attachments from external sources.
• Monitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.

]]>mediumadvisoryinitial-accessrdpphishingwindowshttps://feed.craftedsignal.io/briefs/2026-04-virtualbox-dos/Tue, 21 Apr 2026 21:16:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-virtualbox-dos/An unauthenticated attacker with network access via RDP can exploit CVE-2026-35245 in Oracle VM VirtualBox version 7.2.6 to cause a denial-of-service (DOS) condition.CVE-2026-35245 is a vulnerability affecting Oracle VM VirtualBox version 7.2.6. This vulnerability resides in the Core component of VirtualBox and can be exploited by unauthenticated attackers with network access to the RDP service. Successful exploitation leads to a denial-of-service (DOS) condition, causing the VirtualBox application to hang or crash. The vulnerability’s ease of exploitation makes it a significant threat to systems running vulnerable versions of VirtualBox exposed to untrusted networks. This vulnerability allows an attacker to disrupt virtual machine operations, potentially impacting services relying on the virtualized environment.

Attack Chain

1. The attacker identifies a target system running Oracle VM VirtualBox version 7.2.6 with the RDP service exposed.
2. The attacker establishes a network connection to the target system’s RDP port (typically TCP 3389).
3. The attacker sends a specially crafted RDP request to the vulnerable VirtualBox instance, exploiting CVE-2026-35245.
4. The malicious RDP request triggers a flaw within the VirtualBox Core component.
5. The VirtualBox application enters a hung state due to the unhandled exception.
6. Alternatively, the VirtualBox application may crash due to the exploited vulnerability.
7. The virtual machines hosted on the affected VirtualBox instance become unavailable.
8. The attacker successfully causes a denial-of-service (DOS) condition, disrupting VirtualBox operations.

Impact

Successful exploitation of CVE-2026-35245 results in a denial-of-service condition, where the Oracle VM VirtualBox application hangs or crashes. This impacts the availability of virtual machines running on the affected VirtualBox instance, potentially disrupting critical services and applications. The vulnerability affects VirtualBox version 7.2.6 and poses a risk to organizations utilizing this virtualization platform, especially those with exposed RDP services. The CVSS v3.1 base score is 7.5, reflecting the high availability impact.

Recommendation

• Upgrade Oracle VM VirtualBox to a version beyond 7.2.6 to patch CVE-2026-35245.
• Implement network segmentation and access controls to restrict access to the RDP service, mitigating the risk of external attackers exploiting CVE-2026-35245.
• Monitor RDP connections for suspicious activity, such as connections from unexpected source IPs, to detect potential exploitation attempts targeting CVE-2026-35245.
• Deploy the Sigma rule DetectSuspiciousRDPConnections to identify unusual RDP activity that may indicate exploitation attempts.

]]>mediumadvisoryvirtualboxrdpdoscve-2026-35245https://feed.craftedsignal.io/briefs/2026-04-freerdp-vulns/Tue, 21 Apr 2026 08:04:45 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-freerdp-vulns/An anonymous remote attacker can exploit multiple vulnerabilities in FreeRDP to potentially execute arbitrary code, cause a denial-of-service condition, manipulate data, disclose confidential information, or perform other unspecified attacks.Multiple vulnerabilities have been identified in FreeRDP, a free remote desktop protocol implementation. An unauthenticated remote attacker can exploit these vulnerabilities to achieve several malicious outcomes. While the specific CVEs and technical details of these vulnerabilities are not disclosed in this brief, the potential impact includes arbitrary code execution, denial-of-service (DoS), data manipulation, and information disclosure. FreeRDP is widely used, so these vulnerabilities have a potentially broad impact.

Attack Chain

1. The attacker identifies a vulnerable FreeRDP server exposed to the network.
2. The attacker crafts a malicious RDP request targeting a specific FreeRDP vulnerability.
3. The vulnerable FreeRDP server processes the malicious request.
4. If the vulnerability is an arbitrary code execution flaw, the attacker injects and executes malicious code on the server.
5. The attacker leverages the executed code to gain further access to the system.
6. The attacker may attempt to escalate privileges.
7. The attacker could manipulate sensitive data or exfiltrate it.
8. The attacker could cause a denial-of-service condition, disrupting RDP services.

Impact

Successful exploitation of these FreeRDP vulnerabilities can lead to a range of severe consequences, including complete system compromise through remote code execution. Data manipulation can corrupt critical information, while data exfiltration can lead to significant financial and reputational damage. Denial-of-service attacks can disrupt business operations and impact user productivity. The scope of impact depends on the specific vulnerabilities exploited and the targeted systems.

Recommendation

• Monitor RDP traffic for anomalous patterns and unexpected data within RDP sessions using a network intrusion detection system.
• Implement rate limiting on RDP connections to mitigate potential denial-of-service attacks.
• Review and harden FreeRDP configurations to minimize the attack surface, specifically focusing on disabling unnecessary features.
• Deploy the Sigma rules below to your SIEM to detect potential exploitation attempts.

]]>highadvisoryfreerdpvulnerabilityrdphttps://feed.craftedsignal.io/briefs/2024-11-suspicious-rdp/Mon, 20 Apr 2026 21:38:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-suspicious-rdp/This rule identifies attempts to open a remote desktop file from suspicious paths, indicative of adversaries abusing RDP files for initial access via phishing.This detection identifies the execution of mstsc.exe (Remote Desktop Connection) with an RDP file located in suspicious directories on Windows systems. Adversaries may use malicious RDP files delivered via phishing campaigns as an initial access vector. These files, containing connection settings, can be placed in locations such as the Downloads folder, temporary directories, or Outlook’s content cache. The rule focuses on detecting RDP files opened from unusual paths, which can signal unauthorized access or malicious activity. The behavior was observed in conjunction with the Midnight Blizzard campaign in October 2024. This detection helps defenders identify potential RDP-based attacks and investigate suspicious user behavior.

Attack Chain

1. The attacker crafts a spearphishing email with a malicious RDP file attachment (T1566.001).
2. The victim receives the email and downloads the RDP file to a common location such as the Downloads folder.
3. The user executes the downloaded RDP file, initiating the mstsc.exe process (T1204.002).
4. The mstsc.exe process attempts to establish a remote connection to a malicious server controlled by the attacker.
5. The attacker may exploit vulnerabilities in the RDP service or use credential harvesting techniques to gain access to the remote system.
6. Upon successful connection, the attacker performs reconnaissance activities, such as network scanning and user enumeration.
7. The attacker moves laterally within the network, exploiting additional vulnerabilities or using stolen credentials.
8. The attacker achieves their objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation via malicious RDP files can lead to unauthorized access to internal systems, data breaches, and potential ransomware deployment. While the number of victims and targeted sectors is unspecified, the impact can be significant, especially if the compromised systems have access to sensitive data or critical infrastructure. This can result in financial losses, reputational damage, and operational disruptions.

Recommendation

• Enable Sysmon process creation logging to detect the execution of mstsc.exe and capture the command-line arguments used to launch the process.
• Deploy the Sigma rule “Remote Desktop File Opened from Suspicious Path” to your SIEM to detect RDP files opened from suspicious locations.
• Educate users about the risks of opening RDP files from untrusted sources, especially those received via email.
• Implement application control policies to restrict the execution of mstsc.exe from untrusted directories.
• Monitor network connections originating from systems where mstsc.exe has been executed to identify suspicious remote connections.

]]>mediumadvisoryrdpphishinginitial-accesswindowshttps://feed.craftedsignal.io/briefs/2026-04-rdp-spoofing/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-rdp-spoofing/CVE-2026-26151 is a spoofing vulnerability in Windows Remote Desktop due to an insufficient UI warning for dangerous operations, allowing an unauthorized attacker to perform spoofing over a network.CVE-2026-26151 is a security vulnerability affecting Windows Remote Desktop (RDP). The vulnerability stems from an insufficient UI warning mechanism when dangerous operations are about to be performed within an RDP session. An attacker could potentially exploit this to spoof legitimate actions or elements within the RDP interface, misleading the user into performing unintended actions. This vulnerability could be exploited by an attacker positioned on the same network as the victim, or through other means of network access. Successful exploitation could lead to information disclosure, unauthorized access, or other forms of compromise, depending on the specific actions spoofed. The vulnerability has a CVSS v3.1 score of 7.1, indicating a high severity.

Attack Chain

1. The attacker gains network access to a system that has an active RDP connection or will have an RDP connection in the future.
2. The attacker leverages their network position to intercept and manipulate RDP traffic.
3. The attacker exploits CVE-2026-26151 to inject spoofed UI elements into the RDP session.
4. The victim, unaware of the spoofed UI, interacts with the malicious elements.
5. The attacker uses the spoofed UI to trick the user into performing unintended actions, such as providing credentials or running malicious commands.
6. If credentials were stolen the attacker authenticates using the stolen credentials.
7. The attacker pivots to other systems on the internal network.
8. The attacker achieves their final objective, such as data exfiltration, deploying ransomware, or establishing persistent access.

Impact

Successful exploitation of CVE-2026-26151 could allow an attacker to perform spoofing attacks via manipulated UI elements within the Remote Desktop session. This could lead to unauthorized access to sensitive information, credential theft, or the execution of arbitrary commands on the remote system. Depending on the compromised system’s role and privileges, this could potentially lead to wider compromise within the organization’s network. The impact can range from data breaches to system downtime and reputational damage.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-26151 as detailed in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151.
• Deploy the Sigma rule “Detect Suspicious RDP Clipbard Activity” to detect potential data exfiltration attempts via the clipboard during RDP sessions.
• Monitor network traffic for anomalies associated with RDP connections, such as unexpected data transfers or connections from unusual source IPs, to complement the remediation of CVE-2026-26151.

]]>mediumadvisorycve-2026-26151rdpspoofingwindowshttps://feed.craftedsignal.io/briefs/2026-03-freerdp-heap-overflow/Mon, 30 Mar 2026 22:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-freerdp-heap-overflow/A heap-buffer-overflow read vulnerability exists in FreeRDP versions prior to 3.24.2, specifically in the winpr_aligned_offset_recalloc() function, potentially leading to denial of service or information disclosure.<p>CVE-2026-33982 is a heap-buffer-overflow READ vulnerability affecting FreeRDP, a widely used open-source implementation of the Remote Desktop Protocol (RDP). The vulnerability exists in versions prior to 3.24.2 and is located within the <code>winpr_aligned_offset_recalloc()</code> function. Specifically, the flaw occurs due to an out-of-bounds read 24 bytes before the allocated buffer, which could be triggered during specific RDP operations involving memory reallocation. Successful exploitation can lead…</p> mediumadvisoryfreerdpheap-buffer-overflowcve-2026-33982rdphttps://feed.craftedsignal.io/briefs/2026-03-freerdp-vulns/Tue, 24 Mar 2026 10:17:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-freerdp-vulns/A remote, anonymous attacker can exploit multiple vulnerabilities in FreeRDP to cause a denial of service or potentially execute arbitrary program code.Multiple vulnerabilities exist within FreeRDP, a free implementation of the Remote Desktop Protocol (RDP). An unauthenticated, remote attacker can exploit these vulnerabilities to achieve a denial-of-service (DoS) condition on a vulnerable system, or potentially gain the ability to execute arbitrary code. While the specific CVEs are not detailed in this brief, the generic nature of RDP exploitation makes it a high-impact concern. This issue came to light on March 24, 2026, and is a potential risk to any system using FreeRDP if not mitigated by appropriate updates and security practices. Because of the ubiquitous nature of RDP, this poses a significant risk to organizations using affected versions.

Attack Chain

1. Attacker identifies a vulnerable FreeRDP server exposed to the network.
2. Attacker establishes an RDP connection to the target server on port 3389 (default).
3. Attacker sends a series of crafted RDP packets designed to exploit a specific vulnerability in FreeRDP’s processing of session data.
4. If successful, the exploit triggers a buffer overflow or other memory corruption issue within the FreeRDP process.
5. The attacker leverages the memory corruption to overwrite critical program data or inject malicious code into the process’s memory space.
6. The injected code is executed, granting the attacker control over the FreeRDP session or potentially the entire system, depending on the specific vulnerability and the privileges of the FreeRDP process.
7. Alternatively, the crafted packets could cause the FreeRDP service to crash, resulting in a denial-of-service condition.
8. The attacker may then attempt to escalate privileges, install malware, or move laterally within the network.

Impact

Successful exploitation can lead to a denial-of-service condition, disrupting remote access services. More critically, attackers may be able to execute arbitrary code, leading to full system compromise. This could allow attackers to steal sensitive data, install ransomware, or use the compromised system as a foothold for further attacks within the network. The number of potentially affected systems is large, given the widespread use of RDP for remote administration and access.

Recommendation

• Monitor network connections for suspicious RDP traffic, especially connections originating from unexpected sources; deploy the provided network connection Sigma rule.
• Implement network segmentation to limit the exposure of RDP services to only authorized networks and users.
• Audit RDP usage for anomalies and suspicious activity, paying close attention to unexpected processes launched by RDP sessions; leverage process creation Sigma rule.
• Ensure FreeRDP is updated to the latest version to patch known vulnerabilities.

]]>highadvisoryfreerdprdpvulnerabilitydenial-of-servicecode-executionhttps://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/Tue, 30 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/A machine learning job detected a high count of destination IPs establishing RDP connections with a single source IP, indicating potential lateral movement attempts after initial compromise.This threat brief addresses the potential for lateral movement within a network facilitated by an unusual spike in Remote Desktop Protocol (RDP) connections originating from a single source IP address. This activity is detected using an Elastic machine learning job designed to identify anomalies in network connection patterns. The rule “Spike in Number of Connections Made from a Source IP” leverages this ML job to flag instances where a single host initiates RDP connections to a significantly higher than normal number of distinct destination IPs, potentially indicating that an attacker is attempting to pivot and gain access to additional systems after compromising an initial foothold. This detection mechanism is available in Elastic Security 9.4.0 and later, with the Lateral Movement Detection integration assets installed.

Attack Chain

1. Initial Compromise: An attacker gains initial access to a host within the network through methods such as phishing, exploiting a vulnerability, or credential theft.
2. Establish Foothold: The attacker establishes a foothold on the compromised system, potentially installing tools for reconnaissance and lateral movement.
3. Internal Reconnaissance: The attacker performs internal reconnaissance to identify potential target systems accessible via RDP.
4. RDP Connection Attempts: The attacker initiates RDP connections to a large number of internal IP addresses from the compromised host.
5. Credential Harvesting: The attacker attempts to harvest credentials from the targeted systems to gain further access.
6. Lateral Movement: The attacker successfully connects to additional systems using RDP, leveraging harvested or stolen credentials.
7. Privilege Escalation: On newly accessed systems, the attacker attempts to escalate privileges to gain administrative control.
8. Objective Completion: With broader access and elevated privileges, the attacker achieves their objective, which may include data exfiltration, ransomware deployment, or disruption of services.

Impact

If successful, this lateral movement can result in widespread compromise across the targeted network. A single compromised host can serve as a launching point to access sensitive data, critical systems, and ultimately, inflict significant damage. The “Spike in Number of Connections Made from a Source IP” rule aims to detect these lateral movement attempts early, minimizing potential damage. The impact of a successful attack could range from data breaches and financial losses to operational disruption and reputational damage, affecting organizations across various sectors.

Recommendation

• Enable host IP collection if using Elastic Defend (versions 8.18 and above), by following the configuration steps outlined in the Elastic documentation to ensure the host.ip field is populated.
• Install the Lateral Movement Detection integration assets as described in the official Elastic documentation.
• Review and tune the false positive analysis steps within the detection rule’s documentation. Whitelist known administrative IPs or legitimate RDP usage patterns to minimize noise.
• Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface as recommended in the rule’s response and remediation guidance.

]]>lowadvisorylateral-movementrdpelastichttps://feed.craftedsignal.io/briefs/2024-01-high-mean-rdp-session/Wed, 24 Jan 2024 18:10:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-high-mean-rdp-session/A machine learning job detected an unusually high mean of RDP session duration, indicative of potential lateral movement or persistent access attempts by adversaries abusing RDP.This threat brief addresses the detection of unusually long Remote Desktop Protocol (RDP) sessions, identified by a pre-built Elastic machine learning job named lmd_high_mean_rdp_session_duration_ea. Attackers can abuse RDP for lateral movement and maintaining persistence within a network. Extended RDP sessions can also be used to evade detection mechanisms. This detection leverages machine learning to identify deviations from normal RDP session durations, potentially indicating malicious activity. The detection rule has been available since October 2023, and the corresponding ML job is part of the Lateral Movement Detection integration, requiring Elastic Stack version 9.4.0 or later. The rule depends on the host.ip field to be populated, which may require enabling host IP collection in Elastic Defend versions 8.18 and above.

Attack Chain

1. An attacker gains initial access to a system within the network, possibly through phishing or exploiting a public-facing application.
2. The attacker leverages valid credentials or exploits a vulnerability to establish an RDP connection to a target system.
3. The RDP session is maintained for an extended period, significantly longer than typical RDP sessions within the environment.
4. During the prolonged RDP session, the attacker performs reconnaissance, gathering information about the network and target systems.
5. The attacker moves laterally to other systems within the network, using the established RDP session as a persistent access point.
6. The attacker executes malicious commands or transfers files, potentially installing malware or exfiltrating sensitive data.
7. The unusually long RDP session duration helps the attacker to remain undetected and evade security measures.
8. The attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.

Impact

Successful exploitation and undetected lateral movement via prolonged RDP sessions can lead to significant data breaches, system compromise, and financial loss. The impact includes potential theft of sensitive information, disruption of business operations, and reputational damage. If an adversary establishes a persistent foothold via RDP, they can maintain long-term access to the compromised environment.

Recommendation

• Ensure host.ip field is populated by enabling host IP collection if using Elastic Defend versions 8.18 and above, as described in the helper guide.
• Install and configure the Lateral Movement Detection integration in Kibana as described in the setup guide.
• Tune the machine learning job lmd_high_mean_rdp_session_duration_ea by adjusting the anomaly_threshold based on your environment and RDP usage patterns.
• Investigate triggered alerts from the “High Mean of RDP Session Duration” rule following the triage and analysis guide.
• Monitor Windows RDP process events collected by the Elastic Defend integration for suspicious activity.

]]>lowadvisorylateral-movementrdpmachine-learninghttps://feed.craftedsignal.io/briefs/2024-01-rdp-internet/Wed, 03 Jan 2024 14:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rdp-internet/This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.Remote Desktop Protocol (RDP) is a common tool for system administrators to remotely manage systems, however, exposing RDP directly to the internet creates a significant attack surface. Threat actors frequently target and exploit RDP for initial access, lateral movement, and establishing backdoors within compromised networks. This activity is detected by monitoring network traffic for RDP connections originating from outside the internal network (RFC1918 IP ranges). This is important because successful RDP compromise often leads to broader network infiltration and data exfiltration. This detection focuses on the network level characteristics of RDP connections from the internet to internal assets.

Attack Chain

1. An attacker identifies a publicly accessible RDP service.
2. The attacker attempts to brute-force RDP login credentials or exploits a known RDP vulnerability (e.g. BlueKeep CVE-2019-0708).
3. Upon successful authentication or exploitation, the attacker gains remote access to the targeted system.
4. The attacker uses the compromised system as a pivot point to perform reconnaissance on the internal network.
5. The attacker moves laterally within the network using stolen credentials or by exploiting other vulnerabilities.
6. The attacker installs malware or establishes persistence mechanisms (e.g., creating new user accounts or modifying system configurations).
7. The attacker gathers sensitive data from internal systems.
8. The attacker exfiltrates the stolen data to an external server or deploys ransomware.

Impact

Compromised RDP services can lead to significant data breaches, system downtime, and financial losses. Attackers can leverage RDP access to steal sensitive information, install ransomware, or disrupt critical business operations. While the number of affected organizations varies, RDP exploitation remains a prevalent attack vector, especially for organizations with inadequate security practices. The impact of a successful RDP attack ranges from several thousands to millions of dollars, depending on the size of the organization and the sensitivity of the compromised data.

Recommendation

• Deploy the “RDP (Remote Desktop Protocol) from the Internet” Sigma rule to your SIEM to detect unauthorized RDP connections from outside the network.
• Review firewall rules and network configurations to ensure RDP services are not exposed directly to the internet. Implement a VPN or RDP gateway for secure remote access.
• Enable and monitor network traffic logs (category: network_traffic, product: windows|linux|macos) to provide data for the Sigma rule.
• Investigate any alerts generated by the Sigma rule, focusing on the source IP address and user accounts involved in the RDP connection.
• Implement network segmentation to limit the blast radius of a potential RDP compromise.

]]>mediumadvisorycommand-and-controllateral-movementinitial-accessrdphttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.This analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.

Attack Chain

1. The attacker scans the network to identify systems with open RDP ports (TCP 3389).
2. The attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.
3. The firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.
4. Sysmon logs the network connections with Event ID 3.
5. The attacker continues to attempt connections, typically exceeding 10 attempts within an hour.
6. Upon successful authentication, the attacker gains unauthorized access to the target system.
7. The attacker may then install malware, move laterally, or exfiltrate sensitive data.
8. The attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.

Impact

Successful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.

Recommendation

• Ensure network traffic data is populating the Network_Traffic data model to enable the provided search query.
• Deploy the Sigma rule RDP Bruteforce via Network Traffic to detect brute force attempts based on network connection patterns.
• Adjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.
• Investigate source IPs identified by the detection rule as potential attackers.
• Monitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.
• Review the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.

]]>highadvisoryrdpbruteforcecredential-accesswindowsnetworkhttps://feed.craftedsignal.io/briefs/2024-01-rdp-registry-enabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rdp-registry-enabled/An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.Attackers may enable Remote Desktop Protocol (RDP) to facilitate lateral movement within a compromised network. By modifying the fDenyTSConnections registry key to a value of 0, attackers can enable remote desktop connections, allowing them to access systems remotely. This technique can be employed using remote registry manipulation or tools like PsExec. The modification of the registry key is a common tactic used by ransomware operators and other threat actors to gain unauthorized access to victim servers. This activity can be performed to enable remote access for initial access or to regain access after persistence mechanisms have failed.

Attack Chain

1. An attacker gains initial access to a system via an exploit or compromised credentials.
2. The attacker uses a tool like PsExec or leverages remote registry modification capabilities.
3. The attacker modifies the fDenyTSConnections registry key, setting its value to 0. This key is typically located in HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server.
4. The system’s RDP service is enabled or re-enabled as a result of the registry change.
5. The attacker attempts to connect to the now-enabled RDP service using valid or brute-forced credentials.
6. Upon successful authentication, the attacker gains interactive access to the system via RDP.
7. The attacker performs reconnaissance, elevates privileges, and moves laterally to other systems.
8. The attacker deploys ransomware, exfiltrates data, or achieves other objectives.

Impact

Successful modification of the fDenyTSConnections registry key allows unauthorized remote access to systems, potentially leading to lateral movement, data theft, or ransomware deployment. Organizations could suffer significant financial losses, reputational damage, and operational disruption. The scope of the impact depends on the attacker’s objectives and the level of access they gain within the environment.

Recommendation

• Deploy the Sigma rule “RDP Enabled via Registry” to detect modifications to the fDenyTSConnections registry key (rules).
• Monitor process creation events for suspicious use of reg.exe or PowerShell to modify registry keys related to RDP (rules).
• Implement network segmentation and firewall rules to restrict RDP traffic to authorized hosts (overview).
• Review the privileges assigned to users and ensure the principle of least privilege is enforced (overview).
• Enable Sysmon registry event logging to capture registry modifications (setup).
• Investigate any alerts related to registry modifications on critical systems (overview).

]]>mediumadvisorylateral-movementdefense-evasionrdpregistry-modificationhttps://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.Attackers can leverage the native Windows command-line tool netsh.exe to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.

Attack Chain

1. An attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).
2. The attacker gains a foothold on the system and escalates privileges as needed.
3. The attacker executes netsh.exe with specific arguments to modify the Windows Firewall configuration.
4. The netsh command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).
5. The attacker establishes an RDP connection to the compromised host.
6. The attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.
7. The attacker may attempt to disable or modify security tools to further evade detection.
8. The attacker achieves their objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.

Recommendation

• Monitor process creation events for netsh.exe executing with arguments related to enabling inbound RDP traffic using the “Remote Desktop Enabled in Windows Firewall by Netsh” rule.
• Implement the Sigma rule provided below to detect instances of netsh.exe being used to modify firewall rules related to RDP.
• Enforce the principle of least privilege and restrict the use of netsh.exe to authorized personnel only.
• Review existing firewall rules and remove any unnecessary or overly permissive rules.
• Enable Sysmon process creation logging for enhanced visibility into process execution events.

]]>mediumadvisorydefense-evasionlateral-movementwindowsnetshrdp