Hello, welcome to the Thursday, March 11th, 2021 edition of the Sands and the Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, what's an attacker going to do after they got initial access to your network and are now

trying to spread to different systems in the network.

Classic tools that are often used, of course, are PS remoting with PowerShell and PSXEC.

However, defenders have heavily invested into detecting these tools and attackers always are looking

for a new trick to bypass some of these detection strategies. One protocol that's available

to the attacker is RDP and RDP does not necessarily mean that you set up a full GUI session to the

remote system. The RDP protocol does allow for a lot more, like the simple execution of remote

commands. And a tool, Sharp RDPDP takes advantage of this ability.

Rob today wrote up a diary with a couple of quick examples,

how to take advantage of Sharp RDP,

and of course also some defensive strategies,

how to protect yourself from attacks leveraging this tool. And well, if you're

done patching all of your exchange servers, all of your Microsoft DNS servers, and well,

what else came up over the last couple days, there is something new for you to patch, and that's

F5. F5 released bulletins for

seven new vulnerabilities, four of which are rated critical. And two of the critical

vulnerabilities do allow unauthenticated remote command execution. So something you certainly need to patch

quickly. One is in the eye control rest and the second one in the traffic management user interface

or TMUI. We certainly have seen quite a bit of exploits against prior F5 vulnerabilities, so don't neglect them.

Some of the mitigation here can be accomplished by just not allowing public access to these vulnerable interfaces.

...