Attachment: RDP Connection file

calendar Aug 21, 2023 · Attack surface reduction  ·
Share on: linkedin copy

Recursively scans files and archives to detect RDP connection files.

Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.

Sublime rule (View on GitHub)

 1name: "Attachment: RDP Connection file"
 2description: |
 3  Recursively scans files and archives to detect RDP connection files.
 4
 5  Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.  
 6references:
 7  - "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/"
 8  - "https://delivr.to/payloads?id=64f2d144-0060-472e-989c-3b331f6fb095"
 9type: "rule"
10authors:
11  - twitter: "ajpc500"
12severity: "medium"
13source: |
14  type.inbound
15  and (
16    any(attachments, .file_extension =~ "rdp")
17    or (
18      any(attachments,
19          .file_extension in~ $file_extensions_common_archives
20          and any(file.explode(.), .file_extension =~ "rdp")
21      )
22    )
23  )  
24tags:
25  - "Attack surface reduction"
26attack_types:
27  - "Malware/Ransomware"
28  - "Credential Phishing"
29detection_methods:
30  - "Archive analysis"
31  - "File analysis"
32id: "2409a422-4116-5a40-b929-c1b47ed5c1e5"
to-top