With our RDP interception tool, we managed to collect a great deal of information (screen, keyboard, mouse, metadata) about opportunistic attackers, and have it on video. An engineer and a crime data scientist partner to deliver an epic story, presented at BlackHat USA titled “I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers’ Tradecraft” for the first time, which includes luring, understanding and characterizing attackers, allowing to collectively focus our attention on more sophisticated threats.  

 

The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including ransomware groups. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched screen, keyboard, mouse, clipboard and file collection capabilities. You can learn more about our tool in our previous blogs. We then built a honeynet that is composed of several RDP Windows servers exposed on the cloud. We ran them for three years and accumulated over 190 million events, including 100 hours of video footage, 470 files collected from threat actors, and more than 20,000 RDP captures. 

The data collected allowed the study of attackers’ behavior, which was used to classify attackers into different groups. The groups are presented below.

 

Digital fantasy art showcasing a DnD RangerRangers explore all the folders of the computer, check the network and host performance characteristics, run reconnaissance by clicking or by using programs/scripts. No other meaningful actions are undertaken. Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later. To see a ranger in action, view a recorded session on YouTube.  

 

Digital fantasy art showcasing a DnD ThiefThieves try to monetize the RDP access. After taking control of the computer by changing the credentials to access it, they perform different activities that aim to take advantage of this access. They use tools like traffmonetizer (proxyware), monetized browsers (participating in pay to surf schemes), they install and use cryptominers, download Android emulators (mobile fraud), etc. 

 

 

Digital fantasy art showcasing a DnD BarbarianBarbarians use a large array of tools to brute-force their way into more computers. They leverage the compromised system to attempt compromising other systems by working with lists of IP addresses, usernames and passwords. Here we can see a barbarian using Masscan, a brute-forcing tool.  

 

 

Digital fantasy art showcasing a DnD WizardWizards use the RDP access as a portal to connect to another computer that was compromised in a similar fashion. This strategy is good operational security: they hide their identity via jumps over compromised hosts. To do so, they demonstrate a high level of skill by carefully living off the land. Being able to monitor and see the actions of these attackers is of utmost importance for threat intelligence gathering, enabling defenders and researchers to reach deeper into compromised infrastructure. You can see a wizard in action by following this YouTube link.  

 

Digital fantasy art showcasing a DnD BardBards are individuals with no apparent hacking skills. They access the system to accomplish basic tasks like looking for viruses through a simple Google search or to watch pornography. The evidence shows that they might have bought RDP access from someone who has compromised the system for them, aka Initial Access Brokers (IABs). 

 

Understanding and characterizing attackers allows us to collectively focus our attention on the most popular modus operandi and on the more sophisticated threats. In the next couple of months, we will detail the tools used by the different threat actors in our attackers’ weaponry blog post series. Stay tuned to learn more. 

 

Conclusion 

This presentation demonstrates the tremendous capability in RDP, not only for research benefits, but also for law enforcement and blue teams. Law enforcement could lawfully intercept the RDP environments used by ransomware groups and collect intelligence in recorded sessions for use in investigations. Blue teams for their part can consume the IOCs and roll out their own traps in order to further protect their organization, as this will give them extensive documentation of opportunistic attackers’ tradecraft. Plus, if attackers are scared enough, they will have to change their strategies, and this will influence their attacks’ cost-benefit, leading to a slow down which will ultimately benefit everyone. 

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

No upcoming events.

LATEST PRESS RELEASE

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858