Researchers have identified new attack vectors which leverage the RDP drive sharing feature to perform fileless attacks and plant malware.
A standard feature of the Microsoft RDP implementation is the ability to share a drive from the client machine. This appears as a network share to the server device at \\tsclient. An attacker who was able to establish an RDP connection could then exfiltrate data by copying it to that share or execute a program on the server from an EXE file located on that share (on the client device). If malware is executed from the client share, it leaves no forensic fingerprints on the servers disk – making it an effective form of fileless attack.
Exploitation of this attack vector – which is a design feature not a vulnerability – requires valid login details for an authenticated RDP session. In the examples cited in the research report, it is thought that RDP accounts had been compromised by a brute force attack. Another good reason to ensure strong passwords and VPN-only connectivity is used to protect access to RDP servers and limit it to only authorised users.