Going Rogue: APT49 Using Rogue RDP | Threat SnapShot
In 2022, Microsoft began blocking macros originating from the internet in Office, pushing both pentesters and threat actors to explore new methods for initial access. Fast forward to October 2024, and APT29 is leveraging one of those methods—Rogue RDP—discovered as a workaround back in 2022. In this video, we dive into a recent spearphishing campaign uncovered by the Ukrainian CERT, where attackers used Rogue RDP to gain initial access to targets. This video will provide you practical detection opportunities that can be used to hunt for this activity in your environment.
✅ *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*
📢 *Have questions or topics you’d like us to cover? Drop a comment below!*
👋 *Follow us:*
https://www.linkedin.com/company/snapattack/
https://twitter.com/snapattackhq
https://www.linkedin.com/in/ajkingio/
https://twitter.com/ajkingio
SnapAttack Resources:
- https://app.snapattack.com/threat/22e3caf0-dfb9-f589-5845-795781a8e161 - Threat: Rogue RDP File Outbound Connection to pyrdp MITM
- https://app.snapattack.com/threat/698a692b-3ee8-0d8c-f858-a381a55ce5ef - Threat: Rogue RDP Connection with Startup File Write
- https://app.snapattack.com/detection/216b38a7-8f6c-49f5-ad3c-8eadad14cc9c - Detection: Suspicious File Created by RDP
- https://app.snapattack.com/detection/d33592f5-3398-479d-bf71-0f3b1ac74775 - Detection: RDP Connection Over Non-Standard Port
- https://app.snapattack.com/detection/9a695efa-bade-4281-97b2-cc100c259aa0 - Detection: Suspicious Mstsc.EXE Execution With Local RDP File
- https://app.snapattack.com/detection/39a9eea2-a845-450c-b398-dd8a8e878ad5 - Detection: Mstsc.EXE Execution With Local RDP File
References:
- https://cert.gov.ua/article/6281076
- https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/