I’m kinda confused. This looks like really old information re-packaged as some sort of “exploit”. Examining the RDP cache is an old trick. Here’s a video on doing it from six years ago: https://www.youtube.com/watch?v=NnEOk5-Dstw
So, what’s new here and how is this allowing “Attackers to Take Over Windows and Browser Sessions” other than, if they are on a system, they can dig through the RDP cache? Which, if they are already on the system which launched the RDP sessions, the horse is long out of the barn. Between credential dumping, keylogging and pass the hash, the attacker probably has as much access as the local user has anyway.
I’m kinda confused. This looks like really old information re-packaged as some sort of “exploit”. Examining the RDP cache is an old trick. Here’s a video on doing it from six years ago:
https://www.youtube.com/watch?v=NnEOk5-Dstw
The tools for doing this, have been out for a long time. Here’s the EnCase tool:
https://marketplace.opentext.com/cybersecurity/content/rdp-cached-bitmap-extractor
Here’s an open source parser:
https://github.com/ANSSI-FR/bmc-tools
So, what’s new here and how is this allowing “Attackers to Take Over Windows and Browser Sessions” other than, if they are on a system, they can dig through the RDP cache? Which, if they are already on the system which launched the RDP sessions, the horse is long out of the barn. Between credential dumping, keylogging and pass the hash, the attacker probably has as much access as the local user has anyway.
Yeah this article is complete garbage. Who upvotes this stuff?