Researchers Use Microsoft Terminal Services Client in New Attack Method

Do your users need access to Terminal Services? If not, time to disable it in your group policy…:

[…] DLL side-loading, as it’s labeled in the MITRE ATT&CK framework, can happen when programs “improperly or vaguely specify a required DLL.” As a result, they may be open to a vulnerability in which an unintended DLL is loaded into the program. Attackers can take advantage of legitimate programs vulnerable to side-loading to load a malicious DLL and mask any malicious actions they take under the guise of a trusted system or process.

To run RDP, users access the MSTSC in Windows to take control of a remote computer or virtual machine using a network connection, the researchers explain in a blog post. MSTSC relies on a DLL file (mstscax.dll) as one of its resources. Researchers learned MSTSC performs delay-loading of mstscax.dll with a behavior that can lead to attackers slipping past security controls. The executable loads “mstscax.dll” with no integrity checks to validate the library’s code, they say.

There are two ways to exploit this, Ben-Yossef explains. An attacker could replace the DLL mstscax.dll in the folder c:windowssystem32, which requires local administrative privileges. “Most attackers are gaining local administrative privileges in various techniques and therefore will be able to exploit this for post-exploitation and evasion usage,” he continues.

[…]

Original article here