The Defender's Advantage Podcast

Episode: Windows Remote Desktop Protocol: Remote to Rogue

Host: Luke McNamara (Google Threat Intelligence Group, Mandiant)
Guest: Rohit Nambiar (Senior Security Researcher, Google Threat Intelligence Group)
Date: April 14, 2025

Overview

In this episode, the Defender’s Advantage Podcast explores a cutting-edge Russian-nexus cyber-espionage campaign that creatively abused legitimate features of the Windows Remote Desktop Protocol (RDP) for espionage operations. Host Luke McNamara and researcher Rohit Nambiar discuss how attackers leveraged .RDP files—commonly overlooked in security policy—to map victim resources, exfiltrate data, and evade detection using largely native Windows capabilities. The conversation provides actionable defensive guidance, insights into detection challenges, and a rare look into novel RDP tradecraft.

Key Discussion Points & Insights

1. Discovery and Motivation for Research

Campaign Discovery:
- The Russian-attributed campaign (ANKH5837) specifically targeted European government and military organizations via phishing (03:17).
- Initial investigation began after mass emails with abnormal .RDP file attachments were reported by Ukraine's Computer Emergency Response Team (CERT) (05:18).
Why This Stood Out:
- Quote: "We also realized that, hey, this is a new technique. This is something we've not really seen being exploited before." – Rohit (01:33)
- The campaign used .RDP files in a way not previously observed, prompting further investigation.

2. Traditional vs. Novel Uses of RDP

Traditional RDP Abuse:
- Used with valid credentials or social engineering, giving attackers full interactive GUI access.
- Common in support scams or lateral movement (03:43).
Novel Technique in This Campaign:
- Instead of full desktop takeover, attackers sent .RDP files that appeared as “applications” for users to run, a unique social engineering approach not typically associated with RDP (05:18, 07:55).
- Quote: "This application style thing, that was something that was new and prompted us to kind of dig into it." – Rohit (07:18)

3. Technical Breakdown: How the Attack Worked

Key RDP Features Abused:
- RemoteApp: Only a single application (not the whole desktop) is presented to the victim. The actual executable runs on the attacker's server and is visually mirrored for the victim (07:55).
- Resource Redirection: Maps the victim's local file systems (C: drive, D: drive) and resources (clipboard, printers, etc.) to the attacker's environment, enabling seamless access and potential data exfiltration (07:55, 11:32).
  - Quote: "My files... essentially become accessible to the server that I'm making the RDP connection to." – Rohit (07:55)
Multi-Stage Attack Flow:
- Victim receives phishing email with a signed .RDP file, lured to open under the guise of testing “zero trust” policies.
- Upon execution:
  - Only a specific app is displayed (potentially crafted to look familiar or to phish credentials).
  - The attacker's server gains access to mapped victim resources.
  - Clipboard data—including from VMs—can be silently exfiltrated as long as the session is active (12:21).
    - Quote: "Anything that the victim copies onto that clipboard gets sent to the attacker." – Rohit (12:21)
Attack Potential:
- Can stealthily persuade users to run malicious code, enter credentials, or copy sensitive content.
- Enables automated, low-interaction espionage or further lateral movement.
- Other mappable resources include printers, hardware keys (Yubikey, Titan), audio, and more.

4. Detection and Defense Challenges

Invisibility by Design:
- Most of the malicious activity resides on the attacker's server, evading defender visibility and detection tools.
- Activities blend with legitimate RDP traffic, making identification difficult.
  - Quote: "It becomes very, very challenging for us to figure out what happened and let alone detect it." – Rohit (16:39)
Policy Recommendations:
- Enforce Group Policies to disable resource redirection unless required, especially for drives, clipboard, or specific devices (17:30).
- Restrict or disable .RDP file execution except from signed, trusted publishers.
  - Quote: "You can run a dot RDP file in my environment, but only if it's signed by a certificate that we know about." – Rohit (00:02, 17:30)
- Consider blocking .RDP file attachments in email at the gateway if not business-necessary.
Hunting & Detection Techniques:
- Scan for unexplained .RDP files, especially in temp directories used by email clients.
- Monitor file creation events originating from the MSDSC binary, filtering out known benign patterns.
- Use Yara rules or similar to detect .RDP configs with RemoteApp or resource redirection settings, particularly those signed by unusual authorities like Let's Encrypt.
- Retroactively hunt for abnormal RDP session artifacts in endpoint logs.

5. Broader Trends and Future Risks

Living off the Land, Evasion, and “Unknown Unknowns”:
- Attackers increasingly leverage native features—“living off the land”—and techniques that fall outside traditional detection.
- New or little-known features (like RDP’s advanced settings) are ripe for exploitation due to limited defender awareness and coverage.
  - Quote: "I think threat actors would love to stay in spaces that either we as defenders have low visibility into... functionalities that are native to a system, functionalities that are less known to folks and hence have less coverage..." – Rohit (26:17)
Prediction:
- Expect continued and broader use of legitimate protocols and techniques for stealthy operations; defenders must understand these functionalities to anticipate potential abuses.

6. The Phishing "Noise" vs. Stealth Tradecraft

Mass Emailing as Entry Point:
- Despite the stealthy RDP methodology, the campaign began with mass phishing—creating a noisy footprint that enabled early detection.
- Guest speculates attackers may have either already achieved key goals before “going noisy,” or used the blast to squeeze maximum remaining value from campaign infrastructure (31:04, 33:13).

Notable Quotes & Timestamps

“This is something we've not really seen being exploited before.” – Rohit (01:33)
"It becomes very, very challenging for us to figure out what happened and let alone detect it." – Rohit (16:39)
"You can run a dot RDP file in my environment, but only if it's signed by a certificate that we know about." – Rohit (00:02, 17:30)
“Anything that the victim copies onto that clipboard gets sent to the attacker machine via rdp...” – Rohit (12:21)
"I think threat actors would love to stay in spaces that either we as defenders have low visibility into... functionalities that are less known to folks and hence have less coverage..." – Rohit (26:17)

Important Segment Timestamps

[03:17] – Attribution to Russian actor and campaign targeting context
[07:55] – Technical explanation of RemoteApp and resource redirection abuse
[12:21] – Discussion of clipboard and other resource mapping risks
[17:30] – Specific hardening and policy options for defenders
[26:17] – Forecast of similar techniques and the importance of understanding protocol features
[31:04] – Analysis of attack’s initial “noisy” phishing phase

Memorable Moments

Host Luke McNamara describes the attack as a "very entrepreneurizing, entrepreneurial threat actor" leveraging both social engineering and technical stealth (16:39).
Discovery of clipboard redirection risks, especially with virtual machines and cross-environment data leakage (12:21).
Insight into the double-edged sword of mass phishing: increasing detection risk for the attacker, but also maximizing campaign reach before infrastructure is burned (31:04, 33:13).

Conclusion

This episode pulls back the curtain on a highly innovative abuse of Windows RDP, reinforcing the need to understand and secure even rarely used features of well-known protocols. Defenders are advised to review group policies, monitor for unexplained .RDP activity, and spread awareness of this new tradecraft. For further technical details—such as Yara rules and more detection ideas—see the blog linked in the show notes.

The Defender's Advantage Podcast

Episode: Windows Remote Desktop Protocol: Remote to Rogue

Host: Luke McNamara (Google Threat Intelligence Group, Mandiant)
Guest: Rohit Nambiar (Senior Security Researcher, Google Threat Intelligence Group)
Date: April 14, 2025

Overview

Key Discussion Points & Insights

1. Discovery and Motivation for Research

Campaign Discovery:
- The Russian-attributed campaign (ANKH5837) specifically targeted European government and military organizations via phishing (03:17).
- Initial investigation began after mass emails with abnormal .RDP file attachments were reported by Ukraine's Computer Emergency Response Team (CERT) (05:18).
Why This Stood Out:
- Quote: "We also realized that, hey, this is a new technique. This is something we've not really seen being exploited before." – Rohit (01:33)
- The campaign used .RDP files in a way not previously observed, prompting further investigation.

2. Traditional vs. Novel Uses of RDP

Traditional RDP Abuse:
- Used with valid credentials or social engineering, giving attackers full interactive GUI access.
- Common in support scams or lateral movement (03:43).
Novel Technique in This Campaign:
- Instead of full desktop takeover, attackers sent .RDP files that appeared as “applications” for users to run, a unique social engineering approach not typically associated with RDP (05:18, 07:55).
- Quote: "This application style thing, that was something that was new and prompted us to kind of dig into it." – Rohit (07:18)

3. Technical Breakdown: How the Attack Worked

Key RDP Features Abused:
- RemoteApp: Only a single application (not the whole desktop) is presented to the victim. The actual executable runs on the attacker's server and is visually mirrored for the victim (07:55).
- Resource Redirection: Maps the victim's local file systems (C: drive, D: drive) and resources (clipboard, printers, etc.) to the attacker's environment, enabling seamless access and potential data exfiltration (07:55, 11:32).
  - Quote: "My files... essentially become accessible to the server that I'm making the RDP connection to." – Rohit (07:55)
Multi-Stage Attack Flow:
- Victim receives phishing email with a signed .RDP file, lured to open under the guise of testing “zero trust” policies.
- Upon execution:
  - Only a specific app is displayed (potentially crafted to look familiar or to phish credentials).
  - The attacker's server gains access to mapped victim resources.
  - Clipboard data—including from VMs—can be silently exfiltrated as long as the session is active (12:21).
    - Quote: "Anything that the victim copies onto that clipboard gets sent to the attacker." – Rohit (12:21)
Attack Potential:
- Can stealthily persuade users to run malicious code, enter credentials, or copy sensitive content.
- Enables automated, low-interaction espionage or further lateral movement.
- Other mappable resources include printers, hardware keys (Yubikey, Titan), audio, and more.

4. Detection and Defense Challenges

Invisibility by Design:
- Most of the malicious activity resides on the attacker's server, evading defender visibility and detection tools.
- Activities blend with legitimate RDP traffic, making identification difficult.
  - Quote: "It becomes very, very challenging for us to figure out what happened and let alone detect it." – Rohit (16:39)
Policy Recommendations:
- Enforce Group Policies to disable resource redirection unless required, especially for drives, clipboard, or specific devices (17:30).
- Restrict or disable .RDP file execution except from signed, trusted publishers.
  - Quote: "You can run a dot RDP file in my environment, but only if it's signed by a certificate that we know about." – Rohit (00:02, 17:30)
- Consider blocking .RDP file attachments in email at the gateway if not business-necessary.
Hunting & Detection Techniques:
- Scan for unexplained .RDP files, especially in temp directories used by email clients.
- Monitor file creation events originating from the MSDSC binary, filtering out known benign patterns.
- Use Yara rules or similar to detect .RDP configs with RemoteApp or resource redirection settings, particularly those signed by unusual authorities like Let's Encrypt.
- Retroactively hunt for abnormal RDP session artifacts in endpoint logs.

5. Broader Trends and Future Risks

Living off the Land, Evasion, and “Unknown Unknowns”:
- Attackers increasingly leverage native features—“living off the land”—and techniques that fall outside traditional detection.
- New or little-known features (like RDP’s advanced settings) are ripe for exploitation due to limited defender awareness and coverage.
  - Quote: "I think threat actors would love to stay in spaces that either we as defenders have low visibility into... functionalities that are native to a system, functionalities that are less known to folks and hence have less coverage..." – Rohit (26:17)
Prediction:
- Expect continued and broader use of legitimate protocols and techniques for stealthy operations; defenders must understand these functionalities to anticipate potential abuses.

6. The Phishing "Noise" vs. Stealth Tradecraft

Mass Emailing as Entry Point:
- Despite the stealthy RDP methodology, the campaign began with mass phishing—creating a noisy footprint that enabled early detection.
- Guest speculates attackers may have either already achieved key goals before “going noisy,” or used the blast to squeeze maximum remaining value from campaign infrastructure (31:04, 33:13).

Notable Quotes & Timestamps

“This is something we've not really seen being exploited before.” – Rohit (01:33)
"It becomes very, very challenging for us to figure out what happened and let alone detect it." – Rohit (16:39)
"You can run a dot RDP file in my environment, but only if it's signed by a certificate that we know about." – Rohit (00:02, 17:30)
“Anything that the victim copies onto that clipboard gets sent to the attacker machine via rdp...” – Rohit (12:21)
"I think threat actors would love to stay in spaces that either we as defenders have low visibility into... functionalities that are less known to folks and hence have less coverage..." – Rohit (26:17)

Important Segment Timestamps

[03:17] – Attribution to Russian actor and campaign targeting context
[07:55] – Technical explanation of RemoteApp and resource redirection abuse
[12:21] – Discussion of clipboard and other resource mapping risks
[17:30] – Specific hardening and policy options for defenders
[26:17] – Forecast of similar techniques and the importance of understanding protocol features
[31:04] – Analysis of attack’s initial “noisy” phishing phase

Memorable Moments

Host Luke McNamara describes the attack as a "very entrepreneurizing, entrepreneurial threat actor" leveraging both social engineering and technical stealth (16:39).
Discovery of clipboard redirection risks, especially with virtual machines and cross-environment data leakage (12:21).
Insight into the double-edged sword of mass phishing: increasing detection risk for the attacker, but also maximizing campaign reach before infrastructure is burned (31:04, 33:13).

wavePod

Windows Remote Desktop Protocol: Remote to Rogue

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

The Defender's Advantage Podcast

Episode: Windows Remote Desktop Protocol: Remote to Rogue

Overview

Key Discussion Points & Insights

1. Discovery and Motivation for Research

2. Traditional vs. Novel Uses of RDP

3. Technical Breakdown: How the Attack Worked

4. Detection and Defense Challenges

5. Broader Trends and Future Risks

6. The Phishing "Noise" vs. Stealth Tradecraft

Notable Quotes & Timestamps

Important Segment Timestamps

Memorable Moments

Conclusion

Summary

The Defender's Advantage Podcast

Episode: Windows Remote Desktop Protocol: Remote to Rogue

Overview

Key Discussion Points & Insights

1. Discovery and Motivation for Research

2. Traditional vs. Novel Uses of RDP

3. Technical Breakdown: How the Attack Worked

4. Detection and Defense Challenges

5. Broader Trends and Future Risks

6. The Phishing "Noise" vs. Stealth Tradecraft

Notable Quotes & Timestamps

Important Segment Timestamps

Memorable Moments

Conclusion