View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000567 | file | General | public | 2024-10-28 16:02 | 2024-11-10 18:10 |
| Reporter | Albrecht | Assigned To | christos | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | assigned | Resolution | open | ||
| Platform | PC | OS | Debian | OS Version | Bookworm |
| Product Version | 5.45 | ||||
| Summary | 0000567: Improve rule for detecting RDP control files | ||||
| Description | The rule for detecting RDP files (https://github.com/file/file/blob/5b004b5d76534a0969a50f6e4cf1be9a1e6ef87f/magic/Magdir/windows#L1858) is not correct IMHO as it tries to find a “screen mode id:i:” entry which is optional in such files. The only mandatory element is the “full address:s:<value>” statement (see https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-properties). I use the following rule which detects this statement in ASCII and UTF-16 LE and BE files, ensuring that ist starts at the beginning of the document or a line as to skip the (optional) “alternate full address” item and to reduce false-positives: --8<------------- # Microsoft Remote Desktop Protocol connection # We search for the only mandatory item in the rdp file: 'full address:s:<value>' # either at the start of the file or after a newline. # (see https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-properties) 0 string/t full\040address:s: >&0 string/t x Remote Desktop Protocol connection to '%-s' !:mime text/x-ms-rdp !:ext rdp 0 search/1024/t \012full\040address:s: >&0 string/t x Remote Desktop Protocol connection to '%-s' !:mime text/x-ms-rdp !:ext rdp --8<------------- I'm not sure if it could be improved, though. | ||||
| Steps To Reproduce | Create a text file just containing --8<------------- full address:s:some-remote.org --8<------------- which tries to open a RDP connection to some-remote.org. The current file git version reports it as “ASCII text”, whilst using the rule above returns “Remote Desktop Protocol connection to 'some-remote.org', ASCII text”. | ||||
| Additional Information | Feel free to use my rule if you think it's correct. | ||||
| Tags | No tags attached. | ||||
|
|
Do you know where I can get sample files? |
|
|
Good question… If you have access to a Windows machine, you could create a sample file yourself (see e.g. https://v2cloud.com/tutorials/rdp-file-configuration), which might be classified properly with the current rule as is usually starts with the "screen" statement. Currently, a lot of attacks using RDP files are around which start with a different statement and are thus not detected. Those I have are confidential, sorry, but you might find some on Virustotal or similar. The attached ZIP contains three files created on a Win10 VM: test-orig.rdp is the original file, from test-utf16le.rdp I removed most optional settings, and test-ascii.rdp is the latter converted to ASCII. On Win10 all work by just double-clicking them. Interestingly, UTF16BE is not recognised by the Windows RDP application (it says something like “error loading file”). I noticed that the UTF16LE files created by the the Win10 app are slightly larger than 0000007:0000002 kByte. Thus, it might be better to increase the "search" limit to 2048 or 4096, just in case that an attacker moved the detected string to the very end of a larger file. |
|
|
Thinking about it again, it might be better to also remove the first line in test-ascii.rdp and test-utf16le.rdp so that they start with the "screen" command. This, together with test-orig.rdp, would test both conditions (beginning of file and beginning of line, respectively). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-10-28 16:02 | Albrecht | New Issue | |
| 2024-11-09 21:01 | christos | Assigned To | => christos |
| 2024-11-09 21:01 | christos | Status | new => assigned |
| 2024-11-09 21:01 | christos | Status | assigned => feedback |
| 2024-11-09 21:01 | christos | Note Added: 0004074 | |
| 2024-11-10 14:30 | Albrecht | Note Added: 0004093 | |
| 2024-11-10 14:30 | Albrecht | File Added: rdp-samples.zip | |
| 2024-11-10 14:30 | Albrecht | Status | feedback => assigned |
| 2024-11-10 18:10 | Albrecht | Note Added: 0004102 |
