Windows Remote Desktop Protocol: Remote to Rogue
Whilst I was waiting to see if the improvement, I had made to my Windows 11 health script were working correctly and it was doing as I intended, I came across this nice little article.
Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
The GPO link has been read and checked.
This campaign tracks a wave of suspected Russian espionage activity targeting European government and military organizations via widespread phishing. Google Threat Intelligence Group (GTIG) attributes this activity to a suspected Russia-nexus espionage actor group we refer to as UNC5837. The Computer Emergency Response Team of Ukraine (CERT-UA) reported this campaign on Oct. 29, 2024, noting the use of mass-distributed emails with.rdp file attachments among government agencies and other Ukrainian organizations. This campaign has also been documented by Microsoft, TrendMicro, and Amazon.
This campaign included use of RDP that was not focused on interactive control of victim machines. Instead, adversaries leveraged two lesser-known features of the RDP protocol to present an application (the nature of which is currently unknown) and access victim resources. Given the low prevalence of this tactic, technique, and procedure (TTP) in previous reporting, we seek to explore the technical intricacies of adversary tradecraft abusing the following functionality of RDP
I love this stuff. Finally getting around to writing my Microsoft Live response script to deploy LGPO across devices I don't have physical access too.
This will be fun.
#enoughsaid