This post will explore establishing command and control sessions over remote desktop (RDP) virtual channels. As per Microsoft, virtual channels are software extensions that can be used to add functional enhancements to RDP. Audio, shared clipboard, forwarded drives, and printer redirection are all examples of virtual channels in action; doesn’t it make life easier? Well it comes at a risk. Before getting into it, I have to mention that this is not a new area of research, listed below are tools and information I leveraged to put this post together.
- NCCGroup’s Virtual Channel Research
- OutFlank’s External C2 Example
- XPN’s Exploring External C2 Post
- Earthquake’s Universal Dynamic Virtual Channel
- AwakeCoding’s TsTeleport
While speaking at OT Cybersecurity conferences I’ve always preached the importance of egress filtering. Reason is, whenever we hijack a MFA’d session at the IT/OT perimeter, the first thing we (and attackers) do is attempt to setup an out-of-band command and control session to establish a more permanent foothold in the environment.
Since egress dataflows from the OT to the IT are often few or not required, correctly configured egress filtering can make this difficult bordering on impossible. However, command and control sessions over RDP virtual channels entirely circumvent egress filtering. So having been such an advocate of egress filtering (it’s still important), I felt it was necessary to explore this topic further.