Skip to main content

Search

Breadcrumb - RDP Profile

Overview

The RDP Profile Breadcrumb creates a saved Remote Desktop profile that points to a Canary running RDP.

Attackers commonly inspect saved RDP connections on compromised Windows systems while looking for additional systems they can access. Placing a believable RDP profile on systems an attacker is likely to explore can help steer reconnaissance and lateral movement toward your Canaries.

Placement Ideas

Good locations for RDP Profile Breadcrumbs include:

  • Windows administrator workstations: Place saved .rdp files within administrator tool directories or operational folders used for infrastructure management.
  • Jump boxes or bastion hosts: Place profiles within shared operational accounts or on systems used to access internal infrastructure.
  • Helpdesk or IT support systems: Place profiles on systems used for remote support and server administration where saved RDP connections would be expected.

Follow the steps below to create an RDP Profile Breadcrumb:

Step 1: Log in to your Console

Console Login.png

Step 2: Confirm RDP is enabled on the Canary

Click the Canary you want to use for the RDP Profile Breadcrumb and confirm that the RDP service is enabled.

Breadcrumb - RDP Service Enabled.gif

Step 3: Open the Breadcrumbs tile on your Flock

Once you have confirmed that RDP is enabled, open the Breadcrumbs tile to create and download the RDP Profile Breadcrumb.

Breadcrumb - Tile Card.png

Step 4: Select the Breadcrumb

Select RDP Profile from the list of available Breadcrumbs.

Note

If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.

RDP Profile - Breadcrumb - Select.png

Step 5: Select the Canary

  1. Select the Canary from the drop-down list. In this example, we have selected the JHB-Jump-01 Canary.

  2. Select Create to create the Breadcrumb.

Note

If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.

RDP Profile - Breadcrumb - Create.png

Step 6: Download the Breadcrumb

Select Download Breadcrumb to download the Breadcrumb .rdp file.

The download section contains the following:

  • crumb – Displays the Remote Desktop configuration that will create the saved RDP profile.
  • Download Breadcrumb – Downloads a .rdp file containing all the information required to deploy the RDP Profile Breadcrumb.
RDP Profile - Breadcrumb - Download.png

Step 7: Deploy the Breadcrumb on the target host

Copy the downloaded .rdp file to the target Windows host.

In this example, the deployed Breadcrumb creates a saved Remote Desktop profile named JHB-Jump-01, which is now available for use from the target location.

RDP Profile - Breadcrumb - Deployed.png

Alerts

Note

Alert Type: RDP Login Attempt
This is the standard RDP Login Attempt alert generated by the Canary. The alert contains the Remote Desktop connection details associated with the login attempt, including the username used, source IP address, and additional alert information.

RDP - Breadcrumb - Alert.png

You’ve made it!

thinkst-canary-inyoni.gif

Was this article helpful?
0 out of 0 found this helpful
Return to top