An adversary may use RDP to deliver a text payload mimicking a rubber ducky device to execute malicious commands on a target system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or command and control activities disguised as legitimate RDP sessions.
YARA Rule
rule hacktool_windows_rdp_cmd_delivery
{
meta:
description = "Delivers a text payload via RDP (rubber ducky)"
reference = "https://github.com/nopernik/mytools/blob/master/rdp-cmd-delivery.sh"
author = "@fusionrace"
id = "1b00805a-9ea5-5af8-95f8-fd0db0d6cc9f"
strings:
$s1 = "Usage: rdp-cmd-delivery.sh OPTIONS" ascii wide
$s2 = "[--tofile 'c:\\test.txt' local.ps1 #will copy contents of local.ps1 to c:\\test.txt" ascii wide
$s3 = "-cmdfile local.bat #will execute everything from local.bat" ascii wide
$s4 = "To deliver powershell payload, use '--cmdfile script.ps1' but inside powershell console" ascii wide
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System Administrator Uses RDP to Transfer a Script for Patching
Description: An admin uses RDP to connect to a server and manually transfers a script (e.g., patch_script.sh) via clipboard or file transfer.
Filter/Exclusion: Check for known admin accounts (e.g., admin, root, svc_account) and exclude transfers from these accounts. Also, filter by file extensions like .sh, .ps1, or .bat if they are known to be legitimate.
Scenario: Scheduled Job Uses RDP to Execute a Text-Based Configuration Script
Description: A scheduled job (e.g., via cron, Task Scheduler, or PowerShell) uses RDP to execute a configuration script (e.g., config_setup.txt) on a remote server.
Filter/Exclusion: Exclude traffic from scheduled tasks by checking the Event ID or Task Name in the system logs. Also, filter by known legitimate script names or paths.
Scenario: IT Support Team Uses RDP to Transfer a Text File for Troubleshooting
Description: IT support personnel use RDP to transfer a text file (e.g., diag_log.txt) to a remote machine for troubleshooting purposes.
Filter/Exclusion: Exclude transfers from known IT support accounts (e.g., it_support, helpdesk) and filter by file names containing log, diag, or troubleshoot.
Scenario: RDP Session Used for Remote Desktop Connection with Clipboard Paste
Description: A user connects via RDP and pastes a small text payload (e.g., a command or configuration snippet) into the remote session for quick execution.
Filter/Exclusion: Exclude clipboard activity from trusted user accounts and filter by small payload size (e.g., less than 100 characters)