BSidesAugusta 2023

BSidesAugusta 2023

Olivier Bilodeau

Olivier Bilodeau leads the Cybersecurity Research team at GoSecure. With more than 12 years of infosec experience, he enjoys luring malware operators into his traps and writing tools for malware research. Olivier is a passionate communicator having spoken at several conferences including BlackHat USA/Europe, Defcon, Botconf, Derbycon, and HackFest. Invested in his community, he co-founded MontréHack, is the President of NorthSec and hosts its Hacker Jeopardy.


Preferred Social Media

Twitter

Social Media User/Handle

@obilodeau


Session

10-07
10:00
60min
From RDP to D&D: Unparalleled Remote Desktop Monitoring Reveal Attackers Tradecraft
Olivier Bilodeau

The Remote Desktop Protocol (RDP) is a critical attack vector used by evil threat actors including in ransomware outbreaks. To study RDP attacks, we created PyRDP, an open-source RDP interception tool with unmatched screen, keyboard, mouse, clipboard and file collection capabilities. Then we have built a honeynet that is composed of several RDP Windows servers exposed on the cloud. We ran them for three years and have accumulated over 150 million events including 100 hours of video footage, 570 files collected from threat actors and more than 20,000 RDP captures.

To describe attackers’ behaviors, we characterized the various archetypes of threat actors in groups based on their traits with a Dungeon & Dragons analogy. The Bards, with no apparent hacking skills, make obtuse search or watch unholy videos. The Rangers stealthily explore computers and perform reconnaissance, opening the path for other characters. The Thieves try to monetize the RDP access through various creative ways like traffic monetizers or cryptominers. The Barbarians use a large array of tools to brute-force their way into more computers. Finally, the Wizards, securing their identity via jumps over compromised hosts, use their RDP access as a magic portal to cloak their origins.

Throughout, we will reveal the weaponry of these different characters such as dControl, xRDP Patch, SilverBullet and previously undocumented host fingerprinting tools. Lastly, we will use our crystal ball to show video recordings of interesting characters in action.

This presentation demonstrates the tremendous capability in RDP for research benefits, law enforcement (leverage this open-source capability in ransomware takedowns) and blue teams (extensive documentation of opportunistic attackers’ tradecraft). An engineer and a crime data scientist partnered to deliver an epic story that includes luring, understanding and characterizing attackers which allows to collectively focus our attention on the more sophisticated threats.

Track 2