Detecting Rogue RDP

Introduction Microsoft recently announced the disablement of VBA macros carrying the mark of the web, impacting the ease-of-use of this widespread initial access technique. BlackHillsInfosec wrote a blog post on a different technique that could help fill the void titled “Rogue RDP”. This post examines signals generated by the attack, outlines detection opportunities, and discusses required sysmon configuration changes. Rogue RDP Technique The author Mike Felch describes the technique as:...

March 27, 2022 · 9 min · Nameless