IR-19-038-001 RDP Backdoors

Remote Desktop Protocol (RDP) serves as an entry point for an attacker that desires to move laterally throughout an organization via RDP session hijacking. In order to persist and consistently be able to access the compromised RDP account an attacker must place a backdoor on the system. Attackers use binary replacement and registry debugger methods to backdoor RDP and other popular Windows accessibility services: osk.exe, Magnify.exe, Narrorator.exe, DisplaySwitch.exe, AtBroker.exe. Sticky Keys and Utilman are two native Windows functions abused in popular RDP backdoors to allow an attacker system level command prompt at an RDP login screen.
IR-19-038-001 RDP Backdoors.pdf

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance