1. InfoconDB
  2. DEF CON
  3. DEF CON 31 (2023)
  4. I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers Tradecraft

I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers Tradecraft

Presented at DEF CON 31 (2023), Aug. 11, 2023, 11:30 a.m. (45 minutes)

The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including in ransomware outbreaks. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched capabilities which helped us collect more than 100 hours of video footage of attackers in action. To describe attackers’ behaviors, we characterized the various archetypes of threat actors in groups based on their traits through a Dungeon & Dragons analogy: 1) the Bards making obtuse search or watch unholy videos; 2) the Rangers stealthily explore computers and perform reconnaissance; 3) the Thieves try to monetize the RDP access; 4)the Barbarians use a large array of tools to brute-force their way into more computers; and 5) the Wizardsuse their RDP access as a magic portal to cloak their origins. Throughout, we will reveal the attackers’ weaponry and show video recordings of interesting characters in action. This presentation demonstrates the tremendous capability in RDP interception for research benefitsand blue teams: extensive documentation of opportunistic attackers’ tradecraft. An engineer and a crime data scientist partner to deliver an epic story that includes luring, understanding and characterizing attackers which allows to collectively focus our attention on the more sophisticated threats. REFERENCES: The tool: https://github.com/GoSecure/pyrdp/ an extensive rewrite of Citronneur’s RDPy Building on our own work: RDP Man-in-the-Middle - Smile! You're on Camera - GoSecure https://www.youtube.com/watch?v=eB7RC9FmL6Q Slides - Google Slides PyRDP Demo with Session Takeover - YouTube PyRDP Demo with a Payload on Connection - YouTube https://docs.google.com/presentation/d/1UAiN2EZwDcmBjLe_t5HXB0LzbNclU3nnigC-XM4neIU/edit?usp=sharing https://docs.google.com/presentation/d/1UAiN2EZwDcmBjLe_t5HXB0LzbNclU3nnigC-XM4neIU/edit?usp=sharing PyRDP on Autopilot - Unattended Credential Harvesting and Client-Side File Stealing - GoSecure Announcing PyRDP 1.0 - GoSecure DEF CON Safe Mode Demo Labs - Olivier Bilodeau - PyRDP - YouTube Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To Guide - GoSecure Cracking 2.3M Attackers-Supplied Credentials: What Can We Learn from RDP Attacks - GoSecure A New PyRDP Release: The Rudolph Desktop Protocol! - GoSecure The Level of Human Engagement Behind Automated Attacks - GoSecure Never Connect to RDP Servers Over Untrusted Networks - GoSecure Building on scientific articles: [1] Cybersecurity & Infrastructure Security Agency (2020). Alert (AA20-099A). Retrieved from. https://www.cisa.gov/uscert/ncas/alerts/aa20-099a [2] Cox, O. (2021). Remote Desktop Protocol (RDP) attack analysis. Darktrace. Retrieved from: https://darktrace.com/blog/remote-desktop-protocol-rdp-attack-analysis#:~:text=Remote%20Desktop%20Protocol%20(RDP)%20is,have%20been%20around%20for%20years. [3] UK’s National Cyber Security Centre (2021). Alert: Further ransomware attacks on the UK education sector by cyber criminals. Retrieved from : https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector [4] Tian, Z. et al. (2018). A Real-Time Correlation of Host-Level Events in Cyber Range Service for Smart Campus. IEEE Access, 6, pp. 35355-35364. DOI: 10.1109/ACCESS.2018.2846590. [5] Sinitsyn, F. (2017). Kaspersky Security Bulletin: STORY OF THE YEAR 2017. Retrieved from: https://securelist.com/ksb-story-of-the-year-2017/83290/ [6] Drašar, M., Jirsík, T., & Vizváry, M. (2014). Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches. 8th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS). Proceedings 8 (pp. 160-172). Springer Berlin Heidelberg. [7] Alata, E., Nicomette, V., Kaaniche, M., Dacier, M., & Herrb, M. (2006). Lessons learned from the deployment of a high-interaction honeypot. Sixth European Dependable Computing Conference, Coimbra, Portugal, pp. 39-46, DOI: 10.1109/EDCC.2006.17. [8] Udhani, S., Withers, A., & Bashir, M. (2019). Human vs bots: Detecting human attacks in a honeypot environment. 7th International Symposium on Digital Forensics and Security (ISDFS) (pp. 1-6). IEEE. [9] Bilodeau, O. (2022). PyRDP: Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. Tool Access from: https://github.com/GoSecure/pyrdp [10] Gatlan, S. (2022). Windows 11 now blocks RDP brute-force attacks by default. Bleeping Computer, https://www.bleepingcomputer.com/news/microsoft/windows-11-now-blocks-rdp-brute-force-attacks-by-default/ [11] Seifert, C. (2006). Analyzing Malicious SSH Login Attempts. Symantec Connect Community. Retrieve from: https://www.symantec.com/connect/articles/analyzing-malicious-sshlogin-attempts

Presenters:

  • Olivier Bilodeau - Cybersecurity Research Director at GoSecure
    Olivier Bilodeau leads the Cybersecurity Research team at GoSecure. With more than 12 years of infosec experience, he enjoys luring malware operators into his traps and writing tools for malware research. Olivier is a passionate communicator having spoken at several conferences including BlackHat USA/Europe, Defcon, Botconf, Derbycon, and HackFest. Invested in his community, he co-founded MontréHack, is the President of NorthSec and host its Hacker Jeopardy.
  • Andréanne Bergeron - Cybersecurity Researcher at GoSecure
    Andréanne Bergeron has a Ph.D. in criminology from the University of Montreal and works as a cybersecurity researcher at GoSecure. Acting as the social and data scientist of the team, she is interested in online attackers’ behaviors. She is an experienced presenter with over 38 academic conferences and is now focusing on the infosec field. She has presented at BSides Montreal, NorthSec, CypherCon and Human Factor in Cybercrime amongst others.

Links:

Similar Presentations: