RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP"

    Tuesday, November 5, 2024 In: Threat Research Print

    Date: 11/04/2024

    Severity: Medium

    Summary

    RDP configuration files (.rdp) are being exploited in a cyberattack targeting Ukrainian state authorities and enterprises. These files facilitate the establishment of outgoing Remote Desktop Protocol connections to attackers' servers, potentially granting them access to local resources and enabling the execution of unauthorized programs. This tactic, referred to as "Rogue RDP," underscores the importance of implementing security measures like blocking RDP files and restricting remote access to mitigate such threats.

    Indicators of Compromise (IOC) List

    URL/Domains

    yulia.antonenko@townoflakelure.com

    alexandra.gerst@townoflakelure.com

    oleksii.myronov@townoflakelure.com

    ca-central-1.awsplatform.online

    ca-west-1.mfa-gov.cloud

    central-2-aws.ua-aws.army

    eu-central-1-aws.mfa-gov.cloud

    eu-central-1.mfa-gov.cloud

    eu-central-1.ukrtelecom.cloud

    eu-central-2-aws.ua-aws.army

    eu-north-1-aws.ua-energy.cloud

    eu-north-1-aws.ua-gov.cloud

    eu-south-1-aws.mfa-gov.cloud

    eu-south-2-aws.mfa-gov.cloud

    eu-southeast-1-aws.gov-ua.cloud

    eu-southeast-1-aws.govtr.cloud

    eu-southeast-1-aws.zero-trust.solutions

    us-east-1-aws.mfa-gov.cloud

    us-east-2-aws.ua-gov.cloud

    us-east-console.awsplatform.online

    us-west-1-amazon.ua-energy.cloud

    us-west-1.aws-ukraine.cloud

    us-west-1.ua-aws.army

    us-west-1.ukrtelecom.cloud

    us-west-2-aws.mfa-gov.cloud

    zero-trust.solutions

    ukrtelecom.cloud 

    awsplatform.online

    aws-ukraine.cloud 

    aws-s3.cloud 

    aws-meet.cloud 

    aws-il.cloud 

    aws-data.cloud 

    aws-meetings.cloud 

    aws-secure.cloud 

    aws-join.cloud 

    aws-online.cloud

    gov-au.cloud 

    gov-aws.cloud 

    gov-fi.cloud 

    gov-gr.cloud 

    gov-lt.cloud 

    gov-lv.cloud 

    gov-pl.cloud 

    gov-sk.cloud 

    gov-trust.cloud 

    gov-ua.cloud 

    govps.cloud 

    govtr.cloud 

    govua.cloud 

    eru-gov.cloud 

    feedzai-gov.cloud 

    md-gov.cloud 

    mf-gov.cloud 

    mo-gov.cloud 

    mpo-gov.cloud 

    mpsv-gov.cloud 

    msmt-gov.cloud 

    mv-gov.cloud 

    my-gov.cloud

    mzd-gov.cloud

    mze-gov.cloud 

    mzp-gov.cloud 

    mzv-gov.cloud 

    nakit-gov.cloud 

    nbu-gov.cloud 

    nukib-gov.cloud 

    police-gov.cloud 

    mmr-gov.cloud 

    uohs-gov.cloud 

    uoou-gov.cloud 

    vlada-gov.cloud 

    voa-gov.cloud 

    mfa-gov.cloud 

    mfa-gov.cloud 

    mfa-gov-il.cloud 

    mfa-gov-il.cloud 

    mfa-gov-tr.cloud 

    mfa-gov-tr.cloud 

    mil-be.cloud 

    mil-ee.cloud 

    mil-pl.cloud 

    mil-pt.cloud 

    mod-gov-il.cloud 

    mod-gov-il.cloud 

    s3-acronis.cloud 

    s3-army.cloud 

    s3-atlassian.cloud 

    s3-aws.cloud 

    s3-bah.cloud 

    s3-be.cloud 

    s3-blackberry.cloud 

    s3-csis.cloud 

    s3-de.cloud 

    s3-dgap.cloud 

    s3-dk.cloud 

    s3-dnc.cloud 

    s3-esa.cloud 

    s3-fbi.cloud 

    s3-hudson.cloud 

    s3-ida.cloud 

    s3-iri.cloud 

    s3-knowbe4.cloud 

    s3-marcus.cloud 

    s3-monitoring.cloud 

    s3-nato.cloud 

    s3-ned.cloud

    s3-nsa.cloud 

    s3-proofpoint.cloud 

    s3-pt.cloud 

    s3-rackspace.cloud

    s3-rand.cloud 

    s3-spacex.cloud 

    s3-state.cloud 

    s3-stig.cloud 

    s3-ua.cloud 

    s3-ucia.cloud 

    s3-zoho.cloud 

    ua-aws.army 

    ua-energy.cloud 

    ua-gov.cloud 

    ua-gov.cloud 

    ua-mil.cloud 

    ua-sec.cloud 

    ua-se.cloud 

    ua-sn.cloud

    IP Address

    181.215.148.194

    104.247.120.157

    45.11.230.105

    185.76.79.178

    2.58.201.112

    45.80.193.9

    93.188.163.16

    23.160.56.122

    38.180.146.230

    179.43.163.18

    46.19.141.186

    23.160.56.100

    84.32.188.200

    45.134.111.123

    193.29.59.9

    45.67.85.40

    45.134.110.83

    84.32.188.197

    45.141.58.60

    95.156.207.121

    166.0.187.233

    45.42.142.89

    204.111.198.27

    62.72.7.213

    45.42.142.49

    141.195.117.125

    136.0.0.11

    38.180.146.210

    45.11.231.8

    185.187.155.73

    185.216.72.196

    185.187.155.74

    162.252.175.233

    13.49.21.253

    199.204.86.87

    84.32.188.153

    84.32.188.193

    84.32.188.148

    135.181.130.232

    89.46.234.115

    179.43.148.82

    38.180.110.238

    95.217.113.133

    37.153.155.143

    Hash

    a5de73d69c1a7fbae2e71b98d48fe9b5

8bcb741a204c25232a11a7084aa2221f

86f58115c891ce91b7364e5ff0314b31

80b3cad4f70b6ea8924aa13d2730328b

c0da30b71d58e071fc5863381444d9f0 

1595266bb78dc1e3d67f929154824c74 

222c83d156a41735c38cc552a7084a86 

fa9af43e9bbb55b7512b369084d91f4d 

281a28800a4ba744bfde7b4aff46f24e 

d37cd2c462af0e0643076b20c5ff561e 

e465a4191a93195094a803e5d4703a90 

3f753810430b26b94a172fbf816e7d76 

434ffae8cfc3caa370be2e69ffaa95d1 

c287c05d91a19796b2649ebebd27394b 

aabbfd1acd3f3a2212e348f2d6f169fc 

b0a0ad4093e781a278541e4b01daa7a8 

a18a1cad9df5b409963601c8e30669e4 

cbbc4903da831b6f1dc39d0c8d3fc413 

bd711dc427e17cc724f288cc5c3b0842 

b38e7e8bba44bc5619b2689024ad9fca 

40f957b756096fa6b80f95334ba92034 

db326d934e386059cc56c4e61695128e 

f58cf55b944f5942f1d120d95140b800

34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a 

071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc 

6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353d5d3c 

31f2cc1157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc 

88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622 

b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a 

a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758 

5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b 

b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b 

18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9 

bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a 

ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd 

1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a 

3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5 

984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc 

383e63f40aecdd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b 

296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680 

129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5 

f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb 

f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8 

280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0 

8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5 

ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46

    Filenames

    Zero Trust Architecture Configuration.rdp

    ZTS Device Compatibility Test.rdp 

    Device Configuration Verification.rdp 

    Zero Trust Architecture Configuration.rdp

    Device Security Requirements Check.rdp

    Device Security Requirements Check.rdp

    Device Configuration Verification.rdp

    Zero Trust Architecture Configuration.rdp

    Zero Trust Security Environment Compliance Check.rdp

    Device Configuration Verification.rdp

    AWS IAM Quick Start.rdp

    Device Configuration Verification.rdp 

    Zero Trust Security Environment Compliance Check.rdp 

    ZTS Device Compatibility Test.rdp

    AWS IAM Configuration.rdp 

    Zero Trust Security Environment Compliance Check.rdp 

    Device Security Requirements Check.rdp 

    ZTS Device Compatibility Test.rdp

    AWS IAM Quick Start.rdp

    AWS IAM Compliance Check.rdp

    AWS IAM Configuration.rdp

    Zero Trust Security Environment Compliance Check.rdp

    Zero Trust Security Environment Compliance Check.rdp

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "ca-central-1.awsplatform.online" or url like "ca-central-1.awsplatform.online" or userdomainname like "us-east-1-aws.mfa-gov.cloud" or url like "us-east-1-aws.mfa-gov.cloud" or userdomainname like "us-west-1-amazon.ua-energy.cloud" or url like "us-west-1-amazon.ua-energy.cloud" or userdomainname like "us-east-console.awsplatform.online" or url like "us-east-console.awsplatform.online" or userdomainname like "us-west-1.ukrtelecom.cloud" or url like "us-west-1.ukrtelecom.cloud" or userdomainname like "eu-south-1-aws.mfa-gov.cloud" or url like "eu-south-1-aws.mfa-gov.cloud" or userdomainname like "central-2-aws.ua-aws.army" or url like "central-2-aws.ua-aws.army" or userdomainname like "eu-southeast-1-aws.gov-ua.cloud" or url like "eu-southeast-1-aws.gov-ua.cloud" or userdomainname like "us-east-2-aws.ua-gov.cloud" or url like "us-east-2-aws.ua-gov.cloud" or userdomainname like "us-west-1.ua-aws.army" or url like "us-west-1.ua-aws.army" or userdomainname like "eu-north-1-aws.ua-gov.cloud" or url like "eu-north-1-aws.ua-gov.cloud" or userdomainname like "us-west-2-aws.mfa-gov.cloud" or url like "us-west-2-aws.mfa-gov.cloud" or userdomainname like "eu-central-1-aws.mfa-gov.cloud" or url like "eu-central-1-aws.mfa-gov.cloud" or userdomainname like "us-west-1.aws-ukraine.cloud" or url like "us-west-1.aws-ukraine.cloud" or userdomainname like "eu-south-2-aws.mfa-gov.cloud" or url like "eu-south-2-aws.mfa-gov.cloud" or userdomainname like "eu-central-1.ukrtelecom.cloud" or url like "eu-central-1.ukrtelecom.cloud" or userdomainname like "eu-central-1.mfa-gov.cloud" or url like "eu-central-1.mfa-gov.cloud" or userdomainname like "yulia.antonenko@townoflakelure.com" or url like "yulia.antonenko@townoflakelure.com" or userdomainname like "alexandra.gerst@townoflakelure.com" or url like "alexandra.gerst@townoflakelure.com" or userdomainname like "oleksii.myronov@townoflakelure.com" or url like "oleksii.myronov@townoflakelure.com" or userdomainname like "ca-west-1.mfa-gov.cloud" or url like "ca-west-1.mfa-gov.cloud" or userdomainname like "eu-central-2-aws.ua-aws.army" or url like "eu-central-2-aws.ua-aws.army" or userdomainname like "eu-north-1-aws.ua-energy.cloud" or url like "eu-north-1-aws.ua-energy.cloud" or userdomainname like "eu-southeast-1-aws.govtr.cloud" or url like "eu-southeast-1-aws.govtr.cloud" or userdomainname like "zero-trust.solutions" or url like "zero-trust.solutions" or userdomainname like "ukrtelecom.cloud" or url like "ukrtelecom.cloud" or userdomainname like "awsplatform.online" or url like "awsplatform.online" or userdomainname like "aws-ukraine.cloud" or url like "aws-ukraine.cloud" or userdomainname like "aws-s3.cloud" or url like "aws-s3.cloud" or userdomainname like "aws-meet.cloud" or url like "aws-meet.cloud" or userdomainname like "aws-il.cloud" or url like "aws-il.cloud" or userdomainname like "aws-data.cloud" or url like "aws-data.cloud" or userdomainname like "aws-meetings.cloud" or url like "aws-meetings.cloud" or userdomainname like "aws-secure.cloud" or url like "aws-secure.cloud" or userdomainname like "aws-join.cloud" or url like "aws-join.cloud" or userdomainname like "aws-online.cloud" or url like "aws-online.cloud" or userdomainname like "gov-au.cloud" or url like "gov-au.cloud" or userdomainname like "gov-aws.cloud" or url like "gov-aws.cloud" or userdomainname like "gov-fi.cloud" or url like "gov-fi.cloud" or userdomainname like "gov-gr.cloud" or url like "gov-gr.cloud" or userdomainname like "gov-lt.cloud" or url like "gov-lt.cloud" or userdomainname like "gov-lv.cloud" or url like "gov-lv.cloud" or userdomainname like "gov-pl.cloud" or url like "gov-pl.cloud" or userdomainname like "gov-sk.cloud" or url like "gov-sk.cloud" or userdomainname like "gov-trust.cloud" or url like "gov-trust.cloud" or userdomainname like "gov-ua.cloud" or url like "gov-ua.cloud" or userdomainname like "govps.cloud" or url like "govps.cloud" or userdomainname like "govps.cloud" or userdomainname like "govps.cloud" or url like "govps.cloud" or userdomainname like "govtr.cloud" or url like "govtr.cloud" or userdomainname like "govua.cloud" or url like "govua.cloud" or userdomainname like "eru-gov.cloud" or url like "eru-gov.cloud" or userdomainname like "feedzai-gov.cloud" or url like "feedzai-gov.cloud" or userdomainname like "md-gov.cloud" or url like "md-gov.cloud" or userdomainname like "mf-gov.cloud" or url like "mf-gov.cloud" or userdomainname like "mo-gov.cloud" or url like "mo-gov.cloud" or userdomainname like "mpo-gov.cloud" or url like "mpo-gov.cloud" or userdomainname like "mpsv-gov.cloud" or url like "mpsv-gov.cloud" or userdomainname like "msmt-gov.cloud" or url like "msmt-gov.cloud" or userdomainname like "mv-gov.cloud" or url like "mv-gov.cloud"

    Detection Query 2

    userdomainname like "my-gov.cloud" or url like "my-gov.cloud" or userdomainname like "mzd-gov.cloud" or url like "mzd-gov.cloud" or userdomainname like "mze-gov.cloud" or url like "mze-gov.cloud" or userdomainname like "mzp-gov.cloud" or url like "mzp-gov.cloud" or userdomainname like "mzv-gov.cloud" or url like "mzv-gov.cloud" or userdomainname like "nakit-gov.cloud" or url like "nakit-gov.cloud" or userdomainname like "nbu-gov.cloud" or url like "nbu-gov.cloud" or userdomainname like "nukib-gov.cloud" or url like "nukib-gov.cloud" or userdomainname like "police-gov.cloud" or url like "police-gov.cloud" or userdomainname like "mmr-gov.cloud" or url like "mmr-gov.cloud" or userdomainname like "uohs-gov.cloud" or url like "uohs-gov.cloud" or userdomainname like "uoou-gov.cloud" or url like "uoou-gov.cloud" or userdomainname like "vlada-gov.cloud" or url like "vlada-gov.cloud" or userdomainname like "voa-gov.cloud" or url like "voa-gov.cloud" or userdomainname like "mfa-gov.cloud" or url like "mfa-gov.cloud" or userdomainname like "mfa-gov.cloud" or url like "mfa-gov.cloud" or userdomainname like "mfa-gov-il.cloud" or url like "mfa-gov-il.cloud" or userdomainname like "mfa-gov-il.cloud" or url like "mfa-gov-tr.cloud" or userdomainname like "mfa-gov-tr.cloud" or url like "mfa-gov-tr.cloud" or userdomainname like "mil-be.cloud" or url like "mil-be.cloud" or userdomainname like "mil-ee.cloud" or url like "mil-ee.cloud" or userdomainname like "mil-pl.cloud" or url like "mil-pl.cloud" or userdomainname like "mil-pt.cloud" or url like "mil-pt.cloud" or userdomainname like "mod-gov-il.cloud" or url like "mod-gov-il.cloud" or userdomainname like "mod-gov-il.cloud" or url like "mod-gov-il.cloud" or userdomainname like "s3-acronis.cloud" or url like "s3-acronis.cloud" or userdomainname like "s3-army.cloud" or url like "s3-army.cloud" or userdomainname like "s3-atlassian.cloud" or url like "s3-atlassian.cloud" or userdomainname like "s3-aws.cloud" or url like "s3-aws.cloud" or userdomainname like "s3-bah.cloud" or url like "s3-bah.cloud" or userdomainname like "s3-be.cloud" or url like "s3-be.cloud" or userdomainname like "s3-blackberry.cloud" or url like "s3-blackberry.cloud" or userdomainname like "s3-csis.cloud" or url like "s3-csis.cloud" or userdomainname like "s3-de.cloud" or url like "s3-de.cloud" or userdomainname like "s3-dgap.cloud" or url like "s3-dgap.cloud" or userdomainname like "s3-dk.cloud" or url like "s3-dk.cloud" or userdomainname like "s3-dnc.cloud" or url like "s3-dnc.cloud" or userdomainname like "s3-esa.cloud" or url like "s3-esa.cloud" or userdomainname like "s3-esa.cloud" or url like "s3-esa.cloud" or userdomainname like "s3-fbi.cloud" or url like "s3-fbi.cloud" or userdomainname like "s3-hudson.cloud" or url like "s3-hudson.cloud" or userdomainname like "s3-ida.cloud" or url like "s3-ida.cloud" or userdomainname like "s3-iri.cloud" or url like "s3-iri.cloud" or userdomainname like "s3-knowbe4.cloud" or url like "s3-knowbe4.cloud" or userdomainname like "s3-marcus.cloud" or url like "s3-marcus.cloud" or userdomainname like "s3-monitoring.cloud" or url like "s3-monitoring.cloud" or userdomainname like "s3-nato.cloud" or url like "s3-nato.cloud" or userdomainname like "s3-ned.cloud" or url like "s3-ned.cloud" or userdomainname like "s3-nsa.cloud" or url like "s3-nsa.cloud" or userdomainname like "s3-proofpoint.cloud" or url like "s3-proofpoint.cloud" or userdomainname like "s3-pt.cloud" or url like "s3-pt.cloud" or userdomainname like "s3-rackspace.cloud" or url like "s3-rackspace.cloud" or userdomainname like "s3-rand.cloud" or url like "s3-rand.cloud" or userdomainname like "s3-spacex.cloud" or url like "s3-spacex.cloud" or userdomainname like "s3-state.cloud" or url like "s3-state.cloud" or userdomainname like "s3-stig.cloud" or url like "s3-stig.cloud" or userdomainname like "s3-ua.cloud" or url like "s3-ua.cloud" or userdomainname like "s3-ucia.cloud" or url like "s3-ucia.cloud" or userdomainname like "s3-zoho.cloud" or url like "s3-zoho.cloud" or userdomainname like "ua-aws.army" or url like "ua-aws.army" or userdomainname like "ua-energy.cloud" or url like "ua-energy.cloud" or userdomainname like "ua-gov.cloud" or url like "ua-gov.cloud" or userdomainname like "ua-gov.cloud" or url like "ua-gov.cloud" or userdomainname like "ua-mil.cloud" or url like "ua-mil.cloud" or userdomainname like "ua-sec.cloud" or url like "ua-sec.cloud" or userdomainname like "ua-se.cloud" or url like "ua-se.cloud" or userdomainname like "ua-sn.cloud" or url like "ua-sn.cloud"

    Detection Query 3

    dstipaddress IN ("181.215.148.194","104.247.120.157","45.11.230.105","185.76.79.178","2.58.201.112","45.80.193.9","93.188.163.16","23.160.56.122","38.180.146.230","179.43.163.18","46.19.141.186","23.160.56.100","84.32.188.200","45.134.111.123","193.29.59.9","45.67.85.40","45.134.110.83","84.32.188.197","45.141.58.60","95.156.207.121","166.0.187.233","45.42.142.89","204.111.198.27","62.72.7.213","45.42.142.49","141.195.117.125","136.0.0.11","38.180.146.210","45.11.231.8","185.187.155.73","185.216.72.196","185.187.155.74","162.252.175.233","13.49.21.253","199.204.86.87","84.32.188.153","84.32.188.193","84.32.188.148","135.181.130.232","89.46.234.115","179.43.148.82","38.180.110.238","95.217.113.133","37.153.155.143") or ipaddress IN ("181.215.148.194","104.247.120.157","45.11.230.105","185.76.79.178","2.58.201.112","45.80.193.9","93.188.163.16","23.160.56.122","38.180.146.230","179.43.163.18","46.19.141.186","23.160.56.100","84.32.188.200","45.134.111.123","193.29.59.9","45.67.85.40","45.134.110.83","84.32.188.197","45.141.58.60","95.156.207.121","166.0.187.233","45.42.142.89","204.111.198.27","62.72.7.213","45.42.142.49","141.195.117.125","136.0.0.11","38.180.146.210","45.11.231.8","185.187.155.73","185.216.72.196","185.187.155.74","162.252.175.233","13.49.21.253","199.204.86.87","84.32.188.153","84.32.188.193","84.32.188.148","135.181.130.232","89.46.234.115","179.43.148.82","38.180.110.238","95.217.113.133","37.153.155.143") or publicipaddress IN ("181.215.148.194","104.247.120.157","45.11.230.105","185.76.79.178","2.58.201.112","45.80.193.9","93.188.163.16","23.160.56.122","38.180.146.230","179.43.163.18","46.19.141.186","23.160.56.100","84.32.188.200","45.134.111.123","193.29.59.9","45.67.85.40","45.134.110.83","84.32.188.197","45.141.58.60","95.156.207.121","166.0.187.233","45.42.142.89","204.111.198.27","62.72.7.213","45.42.142.49","141.195.117.125","136.0.0.11","38.180.146.210","45.11.231.8","185.187.155.73","185.216.72.196","185.187.155.74","162.252.175.233","13.49.21.253","199.204.86.87","84.32.188.153","84.32.188.193","84.32.188.148","135.181.130.232","89.46.234.115","179.43.148.82","38.180.110.238","95.217.113.133","37.153.155.143") or srcipaddress IN ("181.215.148.194","104.247.120.157","45.11.230.105","185.76.79.178","2.58.201.112","45.80.193.9","93.188.163.16","23.160.56.122","38.180.146.230","179.43.163.18","46.19.141.186","23.160.56.100","84.32.188.200","45.134.111.123","193.29.59.9","45.67.85.40","45.134.110.83","84.32.188.197","45.141.58.60","95.156.207.121","166.0.187.233","45.42.142.89","204.111.198.27","62.72.7.213","45.42.142.49","141.195.117.125","136.0.0.11","38.180.146.210","45.11.231.8","185.187.155.73","185.216.72.196","185.187.155.74","162.252.175.233","13.49.21.253","199.204.86.87","84.32.188.153","84.32.188.193","84.32.188.148","135.181.130.232","89.46.234.115","179.43.148.82","38.180.110.238","95.217.113.133","37.153.155.143")

    Detection Query 4

    md5hash IN ("a5de73d69c1a7fbae2e71b98d48fe9b5","8bcb741a204c25232a11a7084aa2221f","86f58115c891ce91b7364e5ff0314b31","80b3cad4f70b6ea8924aa13d2730328b","c0da30b71d58e071fc5863381444d9f0","1595266bb78dc1e3d67f929154824c74","222c83d156a41735c38cc552a7084a86","fa9af43e9bbb55b7512b369084d91f4d","281a28800a4ba744bfde7b4aff46f24e","d37cd2c462af0e0643076b20c5ff561e","e465a4191a93195094a803e5d4703a90","3f753810430b26b94a172fbf816e7d76","434ffae8cfc3caa370be2e69ffaa95d1","c287c05d91a19796b2649ebebd27394b","aabbfd1acd3f3a2212e348f2d6f169fc","b0a0ad4093e781a278541e4b01daa7a8","a18a1cad9df5b409963601c8e30669e4","cbbc4903da831b6f1dc39d0c8d3fc413","bd711dc427e17cc724f288cc5c3b0842","b38e7e8bba44bc5619b2689024ad9fca","40f957b756096fa6b80f95334ba92034","db326d934e386059cc56c4e61695128e","f58cf55b944f5942f1d120d95140b800")

    Detection Query 5

    sha256hash IN ("34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a","071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc","6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353d5d3c","31f2cc1157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc","88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622","b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a","a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758","5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b","b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b","18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9","bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a","ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd","1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a","3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5","984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc","383e63f40aecdd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b","296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680","129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5","f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb","f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8","280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0","8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5","ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46")

    Detection Query 6

    resourcename in ("Windows Security") AND eventtype = "4663" AND objectname IN ("Zero Trust Architecture Configuration.rdp","ZTS Device Compatibility Test.rdp","Device Configuration Verification.rdp","Zero Trust Architecture Configuration.rdp","Device Security Requirements Check.rdp","Device Security Requirements Check.rdp","Device Configuration Verification.rdp","Zero Trust Architecture Configuration.rdp","Zero Trust Security Environment Compliance Check.rdp","Device Configuration Verification.rdp","AWS IAM Quick Start.rdp","Device Configuration Verification.rdp","Zero Trust Security Environment Compliance Check.rdp","ZTS Device Compatibility Test.rdp","AWS IAM Configuration.rdp","Zero Trust Security Environment Compliance Check.rdp","Device Security Requirements Check.rdp","ZTS Device Compatibility Test.rdp","AWS IAM Quick Start.rdp","AWS IAM Compliance Check.rdp","AWS IAM Configuration.rdp","Zero Trust Security Environment Compliance Check.rdp","Zero Trust Security Environment Compliance Check.rdp")

    Reference:

    https://www.cisa.gov/news-events/alerts/2024/10/31/foreign-threat-actor-conducting-large-scale-spear-phishing-campaign-rdp-attachments 

    https://cert.gov.ua/article/6281076 


    Tags

    CISAMalwareUkraineRogueRDP

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.