Skip to content

Latest commit

 

History

History
110 lines (69 loc) · 3.43 KB

T1021.001.md

File metadata and controls

110 lines (69 loc) · 3.43 KB

T1021.001 - Remote Desktop Protocol

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.(Citation: Alperovitch Malware)

Atomic Tests


Atomic Test #1 - RDP to DomainController

Attempt an RDP session via Remote Desktop Application to a DomainController.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
logonserver ComputerName argument default %logonserver% String $ENV:logonserver.TrimStart("\")
domain domain argument default %USERDOMAIN% String $Env:USERDOMAIN
username Username argument default %username% String $ENV:USERNAME
password Password String 1password2!

Attack Commands: Run with powershell!

$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"

Cleanup Commands:

$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} 
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #2 - RDP to Server

Attempt an RDP session via Remote Desktop Application over Powershell

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
logonserver ComputerName String WIN-DC
username Username String Administrator
password Password String 1password2!

Attack Commands: Run with powershell!

$Server="#{logonserver}"
$User="#{username}"
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"

Cleanup Commands:

$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }