Et Tu, RDP? Detecting Sticky Keys Backdoors with Brutus and WebAssembly

The sticky‑keys technique, cataloged as MITRE ATT&CK T1546.008, remains a surprisingly common persistence vector on exposed RDP services. Studies from 2015 to 2018 reported backdoor rates ranging from 0.1% to 1% of internet‑facing hosts, meaning thousands of systems are vulnerable to unauthenticated SYSTEM‑level code execution. This low‑tech method is favored by nation‑state actors, ransomware groups, and even internal administrators who forget to clean up break‑glass procedures, making it a critical check for any red‑team or audit.

Praetorian’s engineering team tackled the long‑standing challenge of integrating RDP into Brutus by compiling the IronRDP Rust library to WebAssembly and loading it with the wazero runtime. This approach sidesteps the fragile CGO bridge and complex cross‑compilation issues that have plagued Go‑based RDP clients, delivering a single, statically linked binary that runs on any platform. The WASM layer handles the intricate X.224 and CredSSP negotiations, while Go manages network I/O, resulting in negligible performance overhead compared to the protocol’s inherent latency.

From an operational perspective, Brutus now offers a turnkey workflow: it captures the login screen, triggers the sticky‑keys sequence, and evaluates the visual change through pixel analysis or Claude’s Vision API. When a backdoor is confirmed, the tool can inject arbitrary commands, capture the screen, and OCR the output, delivering structured evidence without manual RDP sessions. This automation transforms a previously manual, error‑prone test into a scalable component of continuous security pipelines, empowering defenders to proactively remediate a high‑impact vulnerability across large environments.