He Said, She Said – Poisoned RDP Offense and Defense

Explore a Black Hat conference talk that delves into a unique Remote Desktop Protocol (RDP) vulnerability, focusing on how connecting to a rogue machine can silently compromise your host. Learn about the Microsoft Terminal Services Client (MSTSC.EXE) vulnerabilities, understand the concept of PoisonRDP, and discover the intricacies of RDP clients, protocols, and potential security risks. Gain insights into lazy lateral movement techniques, clipboard vulnerabilities, file copy exploits, and eavesdropping methods. Examine the role of HyperV in testing and the importance of bug bounty programs. Discover new detection methods, including event tracing, RDP connection providers, and clipboard providers. Analyze detection logic, file creation events, and techniques for identifying malicious behaviors. Conclude with valuable lessons learned and a Q&A session to deepen your understanding of RDP offense and defense strategies.

Introduction
Overview
Lazy Lateral Movement
RDP
What is Poison
RDP Clients
Open Source
RDP Protocol
Vulnerability List
Parsing bitmaps
RDP Client
Clipboard
Blacklists
File Copy
File descriptor
Path level cell
Clipboard synchronized
eavesdropping
pasted on
HyperV
Behind the Scenes
HyperV Test
WDD
Bug Bounty Program
New Detection
Event Tracing
RDP Connection Provider
Clipboard Provider
Demo
Detection logic
File creation events
File creation timestamps
Detecting malicious behaviors
Update
Lessons Learned
Questions