Imagine a scenario where someone deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor
This screen access only architecture is a trend with BYOD because with this architecture one can access Trusted domain from Untrusted devices. On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the stateful hardware firewall. But the penetration tester (or attacker) also needs persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
MRG Effitas developed and published two tools that can help in these situations. The first tool can drop malware to the server through the screen while the user is logged in to the RDP session. The second tool (network filter kernel driver with some rootkit capabilities) can help to circumvent the hardware firewall after someone can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic, meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them is endless, e.g., communicating with bind-shell on web server behind restricted DMZ.