68.9 F
Washington D.C.
Tuesday, October 8, 2024

Establishing a Baseline for Remote Desktop Protocol as Threat Actors Move in

For IT staff and Windows power users, Microsoft Terminal Services Remote Desktop Protocol (RDP) is a beneficial tool that allows for the interactive use or administration of a remote Windows system. However, Mandiant consultants have also observed threat actors using RDP, with compromised domain credentials, to move laterally across networks with limited segmentation.

To understand how threat actors take advantage of RDP, consider the following example:

  1. A staff member from the HR department working on his or her desktop inadvertently installs a malicious backdoor by interacting with a phishing email.
  2. The backdoor malware runs password stealing functionality from Mimikatz to obtain credentials stored in memory for any user accounts that have accessed the system.
  3. The backdoor creates a network tunnel to an attacker’s command and control (C2) server.
  4. The attacker logs on to the HR employee’s system with RDP through the network tunnel by using the compromised credentials.
  5. In pursuit of compromising financial information, the attacker uses Active Directory enumeration commands to identify domain-based systems used by the finance department.
  6. The attacker uses RDP and the compromised HR employee account to connect to a system in the finance department.
  7. The attacker uses Mimikatz to extract credentials on the finance system, resulting in access to  cached passwords for the finance employee who uses the system and an IT administrator who recently logged onto the system for troubleshooting.
  8. Using RDP, the attacker leverages the HR employee’s account, the finance employee’s account, and the IT administrator employee’s account to log onto additional systems in the environment.
  9. The attacker stages data onto the HR employee’s system.
  10. The attacker steals the files via the built-in RDP copy and paste functionality.

Read more at FireEye

Homeland Security Today
Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

Latest Articles