Exposed RDP: The Misconfiguration that Keeps Paying Off
Opportunistic threat actors continue to exploit exposed RDP, RDWeb, and vulnerable VPN configurations to gain initial access. Once inside, attackers deploy custom reverse tunnels, harvest credentials, and modify registry and firewall settings to establish persistent RDP access.
Authors: Beth Robinson
Source:
Huntress
- filenameBypassCredGuard.exeCredential harvesting tool executed by the attacker.
- filenameSharpDecryptPwd.exeCredential harvesting tool used to decrypt passwords (e.g., TeamViewer).
- filenameagent.exeCustom Go reverse tunnel executable used for persistent access.
- ip151[.]241[.]100[.]179Malicious IP address observed authenticating to a compromised SonicWall VPN.
- ip45[.]61[.]157[.]149Command and control (C2) server IP used by a custom Go reverse tunnel (agent.exe) on port 9001.
- ip72[.]62[.]82[.]195Malicious IP address observed authenticating to a compromised SonicWall VPN.
- ip91[.]92[.]243[.]33Malicious IP address used to access an exposed RDWeb portal.
Detection / HunterGoogle
What Happened
Cybercriminals are actively scanning the internet for exposed Remote Desktop Protocol (RDP) and vulnerable VPNs to break into company networks. Organizations with misconfigured or internet-facing remote access tools are primarily affected. This matters because attackers use these simple, known issues to gain persistent access, steal credentials, and move deeper into the network, often returning if the hole isn't patched. Organizations should ensure RDP is placed behind a firewall, monitor VPN logs, and quickly fix known misconfigurations.
Key Takeaways
- Exposed RDP and RDWeb portals remain highly targeted entry points for opportunistic attackers.
- Attackers utilize custom reverse tunnels and credential harvesting tools after gaining initial access.
- Compromised VPNs (e.g., SonicWall) are used to move laterally and reconfigure firewalls and registries to enable RDP.
- Continuous monitoring and rapid remediation of known exposures are critical to prevent repeat intrusions.
Affected Systems
- Windows
- Remote Desktop Protocol (RDP)
- Remote Desktop Web Access (RDWeb)
- SonicWall VPN
Attack Chain
Attackers scan the internet for exposed RDP, RDWeb, or vulnerable VPN appliances to gain initial access. Upon entry, they deploy custom Go reverse tunnels and credential harvesting tools like BypassCredGuard and SharpDecryptPwd. They then move laterally, using built-in Windows commands (reg, netsh) to modify registry keys and firewall rules to explicitly enable RDP access. Finally, they restart the Terminal Services service to ensure persistent remote access to the compromised environment.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but notes that SIEM and EDR solutions can detect the malicious authentication and lateral movement behaviors described.
Detection Engineering Assessment
EDR Visibility: High — EDR can easily capture the execution of reg.exe, netsh.exe, and the dropping of custom tools like agent.exe and BypassCredGuard.exe. Network Visibility: Medium — Network monitoring can detect inbound connections to 3389 and outbound reverse tunnel traffic, but encrypted VPN traffic requires log ingestion. Detection Difficulty: Moderate — While the commands used to enable RDP are noisy and easily detected, distinguishing legitimate remote access from malicious access on exposed portals requires behavioral context and baseline tuning.
Required Log Sources
- Windows Security Event Log (Event ID 4776, 4624)
- Firewall Logs
- VPN Authentication Logs
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Attackers are modifying the registry to enable Terminal Services. | Process creation logs looking for reg.exe modifying the fDenyTSConnections key. | Persistence | Low |
| Attackers are modifying Windows Firewall to allow inbound RDP traffic. | Process creation logs looking for netsh.exe modifying firewall rules for port 3389 or the Remote Desktop group. | Defense Evasion | Low |
| Unauthorized reverse tunnels are communicating externally. | Network connections from unusual processes to external IPs on non-standard ports (e.g., 9001). | Command and Control | Medium |
Control Gaps
- Lack of MFA on external remote services
- RDP exposed directly to the internet without a firewall or VPN
- Insufficient monitoring of VPN authentication logs
Key Behavioral Indicators
- Execution of netsh.exe to modify firewall rules
- Modification of fDenyTSConnections registry key
- Restarting of TermService via command line
- Execution of known credential dumping tool names like BypassCredGuard.exe
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify and immediately place any internet-exposed RDP or RDWeb services behind a firewall or VPN.
- Rotate credentials for any accounts associated with recently exposed or compromised remote access portals.
Infrastructure Hardening
- Evaluate whether MFA can be enforced on all external-facing services, including VPNs and RDWeb.
- Consider restricting RDP access to only authorized administrative IP ranges or jump servers.
- Ensure firewall and VPN logs are actively ingested into a SIEM for early warning detection.
User Protection
- If your EDR supports it, consider implementing rules to block unauthorized modifications to the Terminal Server registry keys.
Security Awareness
- Ensure IT and security teams are aware of the risks of leaving temporary access ports open and incorporate port scanning into regular vulnerability assessments.
MITRE ATT&CK Mapping
- T1133 - External Remote Services
- T1190 - Exploit Public-Facing Application
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1112 - Modify Registry
- T1562.004 - Impair Defenses: Disable or Modify System Firewall
- T1021.001 - Remote Services: Remote Desktop Protocol
- T1572 - Protocol Tunneling
- T1003 - OS Credential Dumping
Additional IOCs
- Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server- Registry key modified by attackers to enable RDP connections (fDenyTSConnections).
- File Paths:
C:\Users\username\Music\MiM\Pass\BypassCredGuard.exe- Path where the Credential Guard bypass tool was executed.C:\Users\username\Music\MiM\Pass\SharpDecryptPwd.exe- Path where the password decryption tool was executed.C:\Users\username\Music\MiM\1ALL.bat- Batch script executed by the attacker via cmd.exe.\Windows\Temp\AXqtxC- Temporary file used to pipe output from the netsh firewall modification command.
- Command Lines:
- Purpose: Enable RDP connections by modifying the registry. | Tools:
reg.exe| Stage: Persistence - Purpose: Restart Terminal Services to apply RDP registry changes. | Tools:
net.exe,timeout.exe| Stage: Persistence |net stop TermService && timeout /t 2 && net start TermService - Purpose: Open port 3389 in Windows Firewall to allow inbound RDP traffic. | Tools:
netsh.exe| Stage: Defense Evasion - Purpose: Enable the Remote Desktop firewall rule group. | Tools:
netsh.exe,cmd.exe| Stage: Defense Evasion - Purpose: Execute a custom Go reverse tunnel to establish C2 communication. | Tools:
agent.exe| Stage: Command and Control |agent.exe -server
- Purpose: Enable RDP connections by modifying the registry. | Tools: