Thursday, 7 February 2019

Threat Hunting #14 - RDP Hijacking via RDPWRAP | fDenyTSConnections | fSingleSessionPerUser

RDPWrapp is a legit third party utility that enable multiple simultaneous RDP session on non Windows Servers, which is something an attacker will need if he needs to operate interactively while the victim is still active on his machine :

CarbonBlack:

regmod:HKLM\SYSTEM\CurrentControlSet\services\TermService\Parameters\ServiceDll or (process_name:svchost.exe and modload:rdpwrap.dll and modload:termsrv.dll)


Related:

It's also very important to watch for any unusual modification of the Terminal Server registry values fSingleSessionPerUser to allow multiple simultaneous Windows sessions using the same account, and fDenyTSConnections to allow Terminal Services connections.:

CarbonBlack:
  • regmod: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser
  • regmod: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections

References:

https://github.com/stascorp/rdpwrap

No comments:

Post a Comment