Plink can be used to establish secure shell (SSH) network connections to other systems using arbitrary source and destination ports. Figure 1: Enterprise firewall bypass using RDP and network tunneling with SSH as an example Inbound RDP TunnelingĪ common utility used to tunnel RDP sessions is PuTTY Link, commonly known as Plink. Once a connection has been established to the remote server through the firewall, the connection can be used as a transport mechanism to send or "tunnel" local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall), as shown in Figure 1. Network tunneling and port forwarding take advantage of firewall "pinholes" (ports not protected by the firewall that allow an application access to a service on a host in the network protected by the firewall) to establish a connection with a remote server blocked by a firewall. Historically, non-exposed systems protected by a firewall and NAT rules were generally considered not to be vulnerable to inbound RDP attempts however, threat actors have increasingly started to subvert these enterprise controls with the use of network tunneling and host-based port forwarding. As a result, FireEye has observed threat actors using native Windows RDP utilities to connect laterally across systems in compromised environments. Threat actors continue to prefer RDP for the stability and functionality advantages over non-graphical backdoors, which can leave unwanted artifacts on a system. When malware is removed from the equation, intrusions become increasingly difficult to detect.
When sophisticated threat actors establish a foothold and acquire ample logon credentials, they may switch from backdoors to using direct RDP sessions for remote access. On the other hand, Remote Desktop Services, and specifically the Remote Desktop Protocol (RDP), offers this same convenience to remote threat actors during targeted system compromises.
Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. Create a Free Mandiant Advantage Account.
0 kommentar(er)
