The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including in ransomware outbreaks. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched screen, keyboard, mouse, clipboard and file collection capabilities. Then we built a honeynet that is composed of several RDP Windows servers exposed on the cloud. We ran them for three years and have accumulated over 150 million events including 100 hours of video footage, 570 files collected from threat actors and more than 20,000 RDP captures.
To describe attackers' behaviors, we characterized the various archetypes of threat actors in groups based on their traits with a Dungeon & Dragons analogy. The Bards, with no apparent hacking skills, make an obtuse search or watch unholy videos. The Rangers stealthily explore computers and perform reconnaissance, opening the path for other characters. The Thieves try to monetize the RDP access through various creative ways like traffic monetizers or cryptominers. The Barbarians use a large array of tools to brute-force their way into more computers. Finally, the Wizards, securing their identity via jumps over compromised hosts, use their RDP access as a magic portal to cloak their origins.
Throughout, we will reveal the weaponry of these different characters such as dControl, xRDP Patch, SilverBullet and previously undocumented host fingerprinting tools. Lastly, we will use our crystal ball to show video recordings of interesting characters in action.
This presentation demonstrates the tremendous capability of RDP for research benefits, law enforcement (leverage this open-source capability in ransomware takedowns) and blue teams (extensive documentation of opportunistic attackers' tradecraft). An engineer and a crime data scientist partner to deliver an epic story that includes luring, understanding and characterizing attackers which allows us to collectively focus our attention on the more sophisticated threats.