How Unparalleled RDP Monitoring Reveal Attackers’ Tradecraft

With our RDP interception tool, we managed to collect a great deal of information (screen, keyboard, mouse, metadata) about opportunistic attackers, and have it on video. An engineer and a crime data scientist partner to deliver an epic story, presented at BlackHat USA titled “I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers’ Tradecraft” for the first time, which includes luring, understanding and characterizing attackers, allowing to collectively focus our attention on more sophisticated threats.  

The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including ransomware groups. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched screen, keyboard, mouse, clipboard and file collection capabilities. You can learn more about our tool in our previous blogs. We then built a honeynet that is composed of several RDP Windows servers exposed on the cloud. We ran them for three years and accumulated over 190 million events, including 100 hours of video footage, 470 files collected from threat actors, and more than 20,000 RDP captures. 

The data collected allowed the study of attackers’ behavior, which was used to classify attackers into different groups. The groups are presented below.

Rangers explore all the folders of the computer, check the network and host performance characteristics, run reconnaissance by clicking or by using programs/scripts. No other meaningful actions are undertaken. Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later. To see a ranger in action, view a recorded session on YouTube.  

Thieves try to monetize the RDP access. After taking control of the computer by changing the credentials to access it, they perform different activities that aim to take advantage of this access. They use tools like traffmonetizer (proxyware), monetized browsers (participating in pay to surf schemes), they install and use cryptominers, download Android emulators (mobile fraud), etc.  

Barbarians use a large array of tools to brute-force their way into more computers. They leverage the compromised system to attempt compromising other systems by working with lists of IP addresses, usernames and passwords. Here we can see a barbarian using Masscan, a brute-forcing tool.  

Wizards use the RDP access as a portal to connect to another computer that was compromised in a similar fashion. This strategy is good operational security: they hide their identity via jumps over compromised hosts. To do so, they demonstrate a high level of skill by carefully living off the land. Being able to monitor and see the actions of these attackers is of utmost importance for threat intelligence gathering, enabling defenders and researchers to reach deeper into compromised infrastructure. You can see a wizard in action by following this YouTube link.  

Bards are individuals with no apparent hacking skills. They access the system to accomplish basic tasks like looking for viruses through a simple Google search or to watch pornography. The evidence shows that they might have bought RDP access from someone who has compromised the system for them, aka Initial Access Brokers (IABs).  

Understanding and characterizing attackers allows us to collectively focus our attention on the most popular modus operandi and on the more sophisticated threats. In the next couple of months, we will detail the tools used by the different threat actors in our attackers’ weaponry blog post series. Stay tuned to learn more. 

Conclusion 

This presentation demonstrates the tremendous capability in RDP, not only for research benefits, but also for law enforcement and blue teams. Law enforcement could lawfully intercept the RDP environments used by ransomware groups and collect intelligence in recorded sessions for use in investigations. Blue teams for their part can consume the IOCs and roll out their own traps in order to further protect their organization, as this will give them extensive documentation of opportunistic attackers’ tradecraft. Plus, if attackers are scared enough, they will have to change their strategies, and this will influence their attacks’ cost-benefit, leading to a slow down which will ultimately benefit everyone.