Why Shadow IT is the oxygen supply for APTs & what can you do to cut it off? The Use Case of Reverse RDP
This is the second post of the series highlighting real life APT attacks examples (you can find the first post here). This post covers another real-life scenario we have experienced at one of our financial customers: Reverse RDP (Remote Desktop Protocol).
In enterprises, controlling computers remotely is very common. The IT department, for example, needs to remotely control employees’ computers throughout the organization in order to fix problems that pop up on a daily basis. In order to do so, the IT department needs a tool to remotely control computers, and there are many available tools for this purpose.
Microsoft provides a built-in solution for controlling computers remotely – a tool called RDP (Remote Desktop Protocol), the binary name is mstsc.exe.
In order to run this tool, you can either:
- Search for RDP or remote desktop in windows search
– Or –
- Run mstsc in the “Run” app
Each one of them results in running the RDP app:
Since this app is installed on every windows machine, it is very popular in many organizations, and widely used either by the IT department or by other employees (such as developers that want to manage their servers in Cloud environments, for example).
So far so good – After all, Microsoft gave us a great tool to control remote computers!
This article focuses on a specific RDP feature that leads to Shadow IT exploitations in many organizations – RDP local drives sharing.
What Is RDP Local Drives Sharing?
In many cases, when you remotely control a computer, you want to run various executables on it to help you identify & solve a problem.
Microsoft provides a feature in its RDP app that allows the RDP client to share its local drives with the RDP server, that means that the employee’s computer is able to reach to the IT personnel’s local drives (C:\ for example) when the RDP connection is made, that way the IT personnel can copy files from his/her own computer to the computer of the employee easily, and run various utilities to help her/him solve the problem.
In order to enable this feature, you should:
- Click on “Show Options”
- Go to the Local Resources tab and click “More”:
- Mark the “Drives” checkbox (or select the exact drives you want to share) and click OK
When you connect with the RDP after enabling this feature, the RDP server (i.e. employee with the problem) will see this in the file explorer program:
In the above screenshot, you can see that when I connected with RDP to the remote machine and I could see my own C drive on the destination computer. Now the remotely controlled computer can access folders on my computer.
When running the “net use” command, you can see this new network folder:
I run ‘dir \\TSCLIENT\C\users\shai\Pictures and it returns:
Which is my Pictures folder!
So let’s take this example and assume that Alice came to work and saw some disturbing problem in her computer, so she opens a ticket for the IT department.
Later Bob, in IT, handles that ticket and remotely accesses and controls Alice’s computer using Microsoft’s RDP in order to solve the problem.
Bob needs to run some analysis utilities on Alice’s computer, so he needs to copy some files from his computer to Alice’s desktop. In order to do so, Bob shares his local drives, so after connecting to Alice’s computer he just copies the files from his computer to Alice’s.
While the RDP connection is on, Alice’s computer has full access to Bob’s shared drives with the same privileges as Bob’s user. That means that Alice can read and/or edit any file in Bob’s shared drives, just like Bob can.
Anatomy of an APT paradise – what an APT would do
APTs always try to get to higher privileged on computers. The IT department is the “holy grail” for APTs, because once you reach there you can basically get to wherever you want.
The Reverse RDP technique allows APTs to compromise high privileged computers from low privileged computers.
Let’s assume that an APT has compromised Alice’s computer (by phishing mails for example) before Bob connected to it – So what can it do in order to compromise Bob’s computer, once Bob remotely controls it?
There are many options for running code on Bob’s computer in this situation, I will give just one example: As we said, the APT has the ability to modify Bob’s shared drives with the same privileges as Bob’s user, so the APT can create a new startup script for Bob’s user (for example in C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ in Windows 10), and a malicious code will run on Bob’s computer when he logs in again (after a reboot for example).
So the APT just writes a file, and waits until Bob will log in again. Now the APT (or hacker) has control of Bob’s computer with higher privileges.
Why the organization just provided the perfect APT paradise
> The APT compromised a high privileged computer
> The APT remained undetected:
- All what the APT did was “legitimate” (it did not exploit any vulnerability for example)
- The APT did not initiate any network connectivity to Bob’s newly compromised computer, Bob was the one who initiated the connection.
- The actual act of exploitation is detached from the moment of the RDP connection. The APT wrote a file and then waited until Bob logged in again, it can happen hours after the RDP connection was over.
How we can complement red team capabilities
It is extremely difficult for humans to find this kind of APT behavior. These exploitable RDP connections are very limited and somewhat rare. If a red team was not active in the network during the exact time when it happened, the attack path would never have been detected. And even if there was an active red team, it would have had to be present on Alice’s computer at that exact time. It’s also hard to expose this method in a network with thousands of computers. Inevitably, this kind of IT behavior might continue and repeat itself in other occasions. You must have an automated system running 24/7 to find these kind of IT issues and fix them as soon as they are created in order to avoid a situation where an attacker takes advantage of them.
Ways to cut off attackers’ oxygen supply
> Don’t use the shared drives feature
> Some alternatives:
- Use the built-in feature of copy-paste of Microsoft’s RDP app – you can copy files from your computer and paste them into the RDP window.
- Put your software utilities in a remote file share that is accessible by both Alice (who needs to read these files) and Bob (who needs to create these files).
- Pay extra attention of the file permissions of this remote file share