The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including in ransomware outbreaks. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched screen, keyboard, mouse, clipboard and file collection capabilities. Then we built a honeynet that is composed of several RDP Windows servers exposed on the cloud. We ran them for three years and have accumulated over 150 million events including 100 hours of video footage, 570 files collected from threat actors and more than 20,000 RDP captures.
To describe attackers' behaviors, we characterized the various archetypes of threat actors in groups based on their traits with a Dungeon & Dragons analogy. The Bards, with no apparent hacking skills, make an obtuse search or watch unholy videos. The Rangers stealthily explore computers and perform reconnaissance, opening the path for other characters. The Thieves try to monetize the RDP access through various creative ways like traffic monetizers or cryptominers. The Barbarians use a large array of tools to brute-force their way into more computers. Finally, the Wizards, securing their identity via jumps over compromised hosts, use their RDP access as a magic portal to cloak their origins.
Throughout, we will reveal the weaponry of these different characters such as dControl, xRDP Patch, SilverBullet and previously undocumented host fingerprinting tools. Lastly, we will use our crystal ball to show video recordings of interesting characters in action.
This presentation demonstrates the tremendous capability of RDP for research benefits, law enforcement (leverage this open-source capability in ransomware takedowns) and blue teams (extensive documentation of opportunistic attackers' tradecraft). An engineer and a crime data scientist partner to deliver an epic story that includes luring, understanding and characterizing attackers which allows us to collectively focus our attention on the more sophisticated threats.
Olivier Bilodeau leads the Cybersecurity Research team at GoSecure. With more than 12 years of infosec experience, he enjoys luring malware operators into his traps and writing tools for malware research. Olivier is a passionate communicator having spoken at several conferences including Black Hat USA/Europe, Defcon, Botconf, Derbycon, and HackFest. Invested in his community, he co-founded MontréHack, is the President of NorthSec and hosts its Hacker Jeopardy.
Andréanne Bergeron has a Ph.D. in criminology from the University of Montreal and works as a cybersecurity researcher at GoSecure. Acting as the social and data scientist of the team, she is interested in online attackers' behaviors. She is an experienced presenter with over 38 academic conferences and is now focusing on the infosec field. She has presented at BSides Montreal, NorthSec, CypherCon and Human Factor in Cybercrime.
Jon Cassell is currently a Senior Solutions Architect at Syxsense and has been working in the IT and Infrastructure industries for the last 15 years. Before working at Syxsense, Jon was an IT Manager for a large financial services firm and has a background in Accounting and Tax consultation. He currently holds an MCSA in Server Infrastructure, A+, Network+, Security+, and Server+ certifications.
