For IT staff and Windows power users, Microsoft Terminal Services Remote Desktop Protocol (RDP) is a beneficial tool that allows for the interactive use or administration of a remote Windows system. However, Mandiant consultants have also observed threat actors using RDP, with compromised domain credentials, to move laterally across networks with limited segmentation.
To understand how threat actors take advantage of RDP, consider the following example:
- A staff member from the HR department working on his or her desktop inadvertently installs a malicious backdoor by interacting with a phishing email.
- The backdoor malware runs password stealing functionality from Mimikatz to obtain credentials stored in memory for any user accounts that have accessed the system.
- The backdoor creates a network tunnel to an attacker’s command and control (C2) server.
- The attacker logs on to the HR employee’s system with RDP through the network tunnel by using the compromised credentials.
- In pursuit of compromising financial information, the attacker uses Active Directory enumeration commands to identify domain-based systems used by the finance department.
- The attacker uses RDP and the compromised HR employee account to connect to a system in the finance department.
- The attacker uses Mimikatz to extract credentials on the finance system, resulting in access to cached passwords for the finance employee who uses the system and an IT administrator who recently logged onto the system for troubleshooting.
- Using RDP, the attacker leverages the HR employee’s account, the finance employee’s account, and the IT administrator employee’s account to log onto additional systems in the environment.
- The attacker stages data onto the HR employee’s system.
- The attacker steals the files via the built-in RDP copy and paste functionality.