 Thanks All right So we were hustling and stressing because of the because we have a Diablo font and it was not working So this is why we switched lap lap top last minute and like we really want the thing to be themed properly And so for you to enjoy this this thing this is quite an adventure that we're gonna we're gonna talk about today Disclaimer, there's a lot of nerdy dance in there There's a lot of tongue-in-cheek references to Dungeon and Dragons Those who don't know. I'm sorry those who do will enjoy it We were inspired by stranger things last year obviously which made it very popular bring it to the forefront, but also the movie Dungeon and Dragons honor among thieves that was out in March when we were doing the CFP obviously And I am a big Dungeon and Dragon player, but so we thought we could pull it off. Thank you We thought we could pull it off because it was in the mainstream, right? It is trendy, but I we're gonna end the pop culture reference here. It's gonna be like the more og Dungeon and Dragons stuff So I'm Oliver. I'm a cybersecurity security research director at go secure and and I'm Andrea I'm I have a PhD in criminology and I also work as a cybersecurity researcher at go secure So I'm interested in the criminal behavior and decision-making Thank you So today's quest. All right, so our agenda if you want we're gonna talk about RDP interception We're gonna like we you need to understand what's possible and how it can be done and what tools we used But this is not the core focus of this presentation We were then gonna dive into attacker classes. So like barbarians and thieves and stuff like that We we summarize over a hundred and ninety million evidence and then is basically a log line. So a jason log We're gonna we're gonna summarize what we collected Then we're gonna talk about the tools of the hacker what they use their weapons their swords and their axes and shit and We're gonna then show some really cool interesting memor and memorizable sessions So here are the characters. We're gonna cover today so pretty dark themed and stuff like that custom art made by a friend from Montreal and Let's go. So Why RDP? Why Olivier? Are you so Insane about RDP not giving up after four years still at it It's because it's targeted by humans I've ran like SSH and telnet honeypots for four years and these are attacked by Scripts and and you know malware automated stuff. There's not like the The the richness the human behind the keyboard aspect when we started doing RDP research I expected automated malware. I expected butts, but this is not what happened what happened was a lot of Human interactions and so this is why it's a very interesting and really ripe for research ripe for intelligence collection But Olivier you keep talking about RDP. What is RDP? Okay? I'm like way too into this. Sorry So this is the on the left hand side. This is the MSTSC client So basically RDP is you know remote desktop protocol So it is a client that allow you to connect to a remote computer and then interact with it Graphically so you have the display you have the keyboard you have the mouse you have sound and The clipboard and files can be shared via RDP. So so we are on the same page We understand this is what's what it what this is about now The attack that are done. What allows us to study RDP at this level is because of a tool called Pi RDP I have stickers in my bag if you want of the logo made by the same guy who made the art for this talk It is a interception engine so it can Intercept everything record everything and you can temper with the RDP and you can watch after the fact after Everything is collected. You can look at the the capture that we're done So everything we present today was powered by or enabled by Pi RDP now Let's take our crystal ball and take a look at what it looks like what the the tool looks like All right, so here This is a this is our tool. So it's the Pi RDP player So this is what we see when we analyze the sessions So when it will start in a second you'll see the screen of the attacker and everything that's going on on it and then you'll see the mouse movement on the With the little yellow dot and then here you'll see everything that goes through the clipboard and the keyboard so everything that it types or Or a copy paste and at the beginning of the session like here You see the host and the domain they use to connect and the credential they use also So it starts So right here we seen the clipboard the first thing we still is a is our IP address It's the the last thing a copy paste basically here We see the attacker type and we see everything like and even here it will change the The credits to enter the session and even if we don't see on the screen we see it on the clipboard Capture what's interesting here is that the attacker paste his C drive directly on our our system so we can Basically steal everything And here is proceeds with with with his activity, which is using XM read So it's basically a surveillance camera for Windows system So the the way we deployed this we deployed this in the cloud And we exposed only the pirate EP system You can see in this diagram that we carefully fire walled with OG castles our system But so the windows system it was not exposed directly You had to go through the intercept the RDP interception engine in order to reach it This is what we want to convey here. That is important And if you want to learn more about pirate EP since this talk is not about pirate EP There's a ton of references out there ton of blog posts ton of stuff and the guy who first wrote pirate EP as an intern working with me is even here Emilio shout out to Emilio Gonzalez and So you can see his talks his blog posts and his presentations about it But now we collected data with it and let's talk about that. So welcome to the Dungeon Adventures. Sorry about that So what we have is we collected events for over three years a 190 million events as I said earlier. This is like 21 million net ntlm v2 hashes because we support NLA network level attenuation We have like 2500 successful logins. Okay, I'm gonna give you an insight our password is admin So two hundred two thousand people figure that out We and then we collected via that four hundred and seventy eight files and more than 2300 valid captures that we could replay See the keyboard the clipboard mouse movement all of that stuff Some of those sessions are related right the attacker might connect to our system more than once for example And there's a couple of evidence that we can That we can observe to make to group them So the first one would be like if they change the password and then come back on our system with this password So we know it's the same person or when there's a continuity of activities throughout the different sessions So those are all evidence that that we use to group them and when we group the that the final that I said that we have we have 95 different attackers or group of attackers so the So the for from the two point three thousand session there's 455 session with some content so that they actually connect to the server and open the system But they are not all interesting because sometimes they just connect and disconnect so So over that there's 339 session of interest that we analyze and this is what we are presenting today If we take a look at the indicator of the MITRE attack framework, this is what we get So there's a lot of resource hijacking system network configuration discovery Active scanning including scanning IP blocks and wordless scanning So basically what you see the most is is a reconnaissance and in discovery So let's see what are the different profile of behavior that we see on our on our sessions So this is our party. There's five different profile and we will see and we still them One by one. Yeah, one by one. So maybe you didn't notice it Already, but this one is the ranger and he's stealthy you'll understand why so The ranger will explore all the folder of the computer and or check the network and host performance characteristics They run reconnaissance to program or script And or they can also run this reconnaissance just by clicking their way through like opening the task manager looking at the CPU performance and then Googling our IP address and they do not perform any other meaningful action on our sessions, so they just run reconnaissance. So we We hypothesize that they might be evaluating the system for other to use or to use later I'll show you a ranger in action. So Here yeah, it started. So here it will paste two binaries on the desktop to run So those are a red script that are ready to just grab the information of the system So he runs the first one and then Run the second one He copies the information of the computer and we can and we steal that on to the clipboard And then before leaving he just he will erase all his traces and leave. Okay So this is a typical ranger in action The second character is the teeth The teeth will monetize their the rdp access in many different ways So they will the tool they use will be like proxy where monetizing browsers Monetizing browsers that participate in the pay-to-serve schemes After that, there's a crypto miner Android emulator to do fraud. So all kind of different things to monetize the access and And I'll show you two examples. So the first one here the person is using truck monetizer, which is a residential proxy enabler We'll connect to his account And and then you can see so they use it to pass third-party Traffic through our system and then get paid for doing so so you see the amount of money that he is doing with our session Which is not a lot by the way There is second example of a Tiffin action will be this one that use a crypto miner called xm rig So he launched a crypto miner Connect to his wallet With his creds and everything he choose Bitcoin gold to mine and At the bottom use the local ash rate and the effective ash rate that goes on during during that he can conduct any other activity at the same time and Any tool so the Third third character is the barbarian The barbarian you'll understand by by the name of the character that the they use a large area of tools to brute force their way Into more computers they compromise other system by using working by working with with IP addresses username list of of passwords and And here is the barbarian in action. So here The person is using mass scan GUI more particularly so there's an interface Easier to to use Here they enter the RDP the RDP port 3 3 8 9 And choose the country that they want to to target In this case Vietnam Launch the attack and it's as easy as the fourth character is The wizard the wizard is my favorite one because they are the most skillful one They use the RDP access as a portal to connect to other computers So the secure their identity their identity via a jump over compromised host So they are the one who showed the highest level of skills and I'll show you in this session right now So they are on our RDP session and then they connect to another session through our system and So you see that in Our session the wizard is file-less. They do not require you to install any code or script the within the target system instead the the attacker use Uses tools that are already present in the environment and in this case, it's RDP So you see that there's a session opened here and on which NL brute is Open so they launch an attack using a brute force Tool and here we see that they use a ghost user we will come back to this So it's connected to a tool they use to enter other RDP session So and we will talk about it in a second So he is monitoring his NL brute activities on two other Pi RDP session true true to other party session So this makes it far more difficult to detect especially if they are get if the organization or leveraging Traditional security tools that will search for known malware script or file They can stay there forever before being flagged basically and they leave no artifacts behind And the last character I said that the wizard was my favorite my favorite one, but this one is my favorite one So the Bard the Bard in Dungeon and Dragon I don't want to start a debate here, but in Dungeon and Dragon It's sometime considered as the small contributor or the annoying team player So here in this case there the bars has no apparent hacking skills Okay, so they will use our system to Make basic Google search to watch porn and to download movies, etc So we think that they might have Bought their access to someone else that compromise the computer for them And just for the laugh. I need to show you a Bard's a Bard in action So here we see basic Google search about the strongest virus ever And he will you know look for information about that read a bit on that I just translate what is going on on this page basically just information about very The strongest virus here another virus script It looks around but like it doesn't it doesn't last very long. He had been done right away and go watch porn So there's a couple of research About porn so porn.com sex.com sex.org He's trying really hard a Ryan porn and then we can see the beginner level of porn consuming As he is looking for porn on YouTube. He even types porn hub, so he knows about it But it like you know, it's hard. It's hard. Why porn? So there's some country with internet censorship And the censorship include ban on pornography So so they might and and also they often block for VPNs and and other other tools So they might use our RDP access just to go around those those ban so if we look at the Different the number of RDP session associated with each profile. This is what we get So you see a lot of barbarian a lot of Rangers and after that thieves Bard wizard and the the profile are not mutually exclusive They can like they can perform they might intertwine This is what we get when we observe the this mix so a ranger might also Do barbarian actions so yeah What about the weaponry Olivier? Yes, yes. Yes, so we did build some Kind of a character sheets for the weapons because I'm a geek in Dungeon and Dragon fans. So here we go the xdidzik RDP patch is a Ranger tool so it is what we saw earlier that created the ghost user account So it's basically a turnkey gooey tool that creates an admin account and allow you to patch RDP patch RDP in a specific way in a sense that it will allow desktop versions of the operating system to have concurrent sessions which is not allowed usually you need like a Specific license or you need a server type system But this will enable that meaning that the computer can be used While it's used legitimately and and the patch is actually very well done It's a different binary that is embedded in the xdidzik tool and it survives OS updates and stuff like that like it's a really clever tool So we see this as a persistent mechanism has a high detection ratio on VT because it's super packed But the xdidzik group was taken down, but the the tools still exist and are still available Next up we're gonna talk about and it brought social Andrea mentioned it earlier and it brought is the the RDP brute-forcing tool It is a super effective one if we have pen testers or red teamers here This stuff is better than you know Hydra or net and map, but I wouldn't run it on a system Besides the VM again super packed the versions that you can download online are like cracked and or probably backdoored It has a relatively high VT detection ratio. However The some of the samples that I've seen are undetected by crowdstrike, e-set, f-secure, Casper's key for instance. So the detection ratio is still high like 15 to 62 But the 15 are like all AI stuff that probably has a lot of false positive The guy who wrote it got arrested and extradited to the US early February So we will probably not see updates for a short while So the next up is mass scan GUI a tool used by barbarians. It is like a you know rapper around Robert Graham's is mass scan very effective internet scanner But it dumps it down so that anyone can use it and you can choose a country So it has like pre-filled configuration in it if you want to target a specific country What's something that didn't realize because we have a lot of instinct about attackers right because we do that We research, you know that for threats and we read a lot of blocks But one thing that surprised me is the pivoting capabilities of the barbarians So when they compromise a specific system, they go after nearby networks or the whole internet But for instance our stuff was in AWS and so we feel that when they realize it's in the AWS They're happy because they're like oh, maybe some organization white listed AWS ranges And so they scan the whole internet like super triggered So we think that this is some of the stuff that they do and it allows them to reach Stuff that wasn't reachable before or via other compromise infrastructure So that the tool like math mask and GUI kind of is important for them to penetrate into deeper networks and more networks The next one is a weird one silver bullet it's a Burp like pen web application security tool if you want but the comparison with burp fell short really quickly Because it's proxy first so in burp you use one proxy and then you you know you do your tests and stuff like that But this is like give me a hundred of proxies. So clearly this is about credential stuffing You know popular services like PayPal Gmail and Netflix or whatever it comes with pre-made configuration kits a whole scripting language It is super talked about on telegram. They are channels dedicated to share configurations. So it's a very Big tool for people who compromises online accounts clearly little very little legitimate use But but it's distributed on github and they Talk about it Openly on github and this is from the github page and they say like this is for scraping parsing data Automated pen testing uses selenium or whatever, but look at this Like if we check the tabs that are in there It's like top-level tab proxies where you provide hundreds of proxies that you want to use second tab Word lists, I mean what pen tests tool would expose Word list as a first-class component in your in your tool, right? And then you have like captures Bypass you have OCR so character recognition you have cloud flare bypass built into the configurations So clearly again little legitimate use or or you know It's shady as a really shady now on there on their website On their website they they even like drop the language about automated been test. They Basically say like it's illegal, but it's they talk about credential stuffing. It's like oh, yeah We're a web pen testing tool. No, we're credential stuffing tool, right? This is making it very clear, but what I like the most about this clear disclaimers like this is Of course you said for research only this is gonna stop cybercrime Fuck them. Oh, sorry about that So moving on to the next thing We have the windows defender remove script So a lot of defender bypass technology was used and it's interesting to describe Especially this one because it has a zero virus total detection rate But so it's a wrapper around Install went weeks, which is considered a legitimate Package it allows you to change the Microsoft's OS can be customized by auto unattended stuff, right? And it allows you to alter the OS packages like you would do for a POS or for an ATM For instance, if you are stupid enough to use Windows for an ATM, but It unhides the OS packages that are protected allows you to remove Defender the package and then it will repack the Windows packages. So Windows still works afterwards But so this is pretty crazy because it is basically legitimate software However, I want to say it doesn't work on Windows 11 even with temporary protection removed So we've seen this work on Windows Server 2016 Haven't tested more than that because I was, you know busy creating nice sheets cards for For the the attack tools, but so it It could like, you know become obsolete with time, but it is effective today another one that I wanted to talk about is D control or defender control and this one is Shared online as a freeware from a super shady site. It is super packed Has a high VT ratio and I think they're not gonna update it But so this tool is used by the luckiest Russian ransomware group like we know it's linked through them So we know that it is used by ransomware groups out there. It has been So it disables defender and unload the driver So it's it's effective doesn't require reboot whereas the other tool does require reboot But it's been super well documented by the DFI our report. So if you guys want to detect this I think we even provide Sigma rules and stuff like that. So I would advise you check that and Last but not least is gamadine mailer. So this is Turn key noob friendly fishing tool so it can be used for spear fishing But also spam so it does their whole spectrum of email flaws have a templating engine and all that stuff it we yeah It is basically making it possible for people to To send, you know good emails and whatnot But we we think that IP reputation of compromised system is probably what attracts people to deploy tools like this in Honeypots so that they are able to send their spam It is not detected by like crowdstrike e-set f secure Casper ski Microsoft So it has a like a low detection ratio and we know it's not but then again like all of the samples I shared in the IOC I provided I uploaded all of them on VT So they will probably the detection ratio will probably increase hopefully so it's gonna We're gonna be good when it detect this very soon There is a lot more tooling and our aim is to document them via our blog and As you know, some of them don't need documentation, but some of them do and share, you know hashes and Sigma rules for detection So if we take this list that we just saw in all the tools that we present and we classified them by objective This is what we get so a lot of scanning and attack Then there's enabler tool that they use all the time monetization download communication by communication I refer a more precise precisely to telegram So they use telegram to communicate but also to transfer files. We see that a lot So let's go back to our crystal ball I wanted we wanted to show you in some interesting observation that we saw during our research So first the attacker might work in team. Okay here. We see the person Downloading nl brute While in the on the clipboard we see appear. I'll translate it right now. Why did you delete all application with a bloke broken heart? so Downloading the tools again. They were there on on a session a previous session But then he has to download again and then communicate with someone else to show His disappointment or hurt disappointment After that, there's some attacker who do not speak English and that might be Funny sometimes so here The person is playing around with some credit card on Google ad and Then a pending approval message appears and the person has no clue what's going on so copies it goes into Google Translate and Then even go choose the exact language the person speak so really you cannot beat this level of attribution so Arabic here and There's we have a couple of sessions with person there with people who do not speak English who look like they do not speak English or at least their their basic language their Principal language is not English and when we we analyze those sessions So it's 45 session in which we are sure of the attribution of the language, which is not all the data set But this is what we get so Arabic first and then Farsi or Persian Cyrillic Vietnamese and Chinese and the last video we wanted to show you is How great our tool is to collect intelligence? So here the person is connecting to their telegram account So they will enter their their cell phone number their phone number Obviously, they could they could use burning phone, right? But but here we could When we look at the IP address it corresponds to Algeria And then like their password of course that we can still to the clipboard and And and then once they connect to their telegram we can see all the chat room in which there's some illegal stuff going on So to start an investigation that's it's a lot of information of useful information What about the end game? Yes We're now at the near the end of the presentation so it's time for experience points of course and looped right But so I'm still going to spend some time trying to really convey why the level of enthusiasm I want you guys to leave with around like RDP research and interception So this is how we deployed our environments. We made The windows machines like the box in the middle. We made it We made sure to stream the logs to a message queue as as quick as we can in order for it to be destroyable So we really like don't like to give free infrastructure to bad guys So when we have like anything that is, you know Misuse we will destroy the infrastructure because it's faster to destroy than to investigate But this means that we in order not to lose evidence We needed to have something streaming to our stuff, right? So all open source stuff, but like Streaming logs to rabbit MQ are syncing binary artifacts to object storage And then we we are slurping these for inside an elastic where we query it via Jupiter Our studio as well So some our language code for like Latin class analysis and stuff like that and then good old Excel because it's just fast You know, but but after a million records or events Excel just blows up So you need the Python cool kids tools We everything was deployed using docker compose and then the infrastructure was terraformed And we were recreating like destroying the honeypots and recreating them so that we get fresh bad guys using GitLab CI CD automation Now what we talked about today is the rangers right on the left. They are the largest group and Clearly the ones that we want to go after next right We're gonna increase the deception that we do and make sure that we understand what they are after because they're the big group and They open the path to others then there's the bar of questionable technical skills and appetite as Andrean showed you earlier We saw that thieves thieves for me represent what cyber crime is about and this is a takeaway I think important for for our industry They are about monetizing everything They are not after your organization necessarily like most of cyber crime is like that Right, of course there are spies and state actors and stuff like that, but there's a ton of cyber crime out there That is just opportunistic The wizard are the scariest group in my opinion and Andrean's opinion because they are doing the living of the land stuff They like like leave no artifacts Really are really stealthy and and the barbarians last but not least their digits brute force They're way around as I was saying earlier like compromising new infrastructure and and and the and it is successful unfortunately now researchers like RDP is right for attacker study I It attracts humans not scripts, so it's super cool to do For blue team like are we have a repository called malware IOC on our our github the link is at the end of the slide deck It's in the slide deck that is shared on the DEF CON servers already You can consume the IOC's but we also want you to try to roll out your own traps You can do it externally you can do it internally internally This is like a low false positive rate alarm system But you make you must make sure that you have the proper alerting in place What's cool about the Doing that is the video captures talk so well to management This is not a sequence of lugs that you know people don't understand. This is like he did this He was after that like directly show it in your face the the the attacker, right? So this is why it's powerful For law enforcement, we want you to go after the ransomware groups This needs to end right we are really in a I mean ransomware groups are like the exploit kits of the of the 2010 something like that like we need to fix that problem and the reason why our DP interception is relevant in that context it's because When they like they use compromised infrastructure a lot of RDP compromised infrastructure When you look at the metadata like law enforcement would do in lawful contexts You will have like SMTP out to office 365 SMTP out to Google But what does that tell you you have no victim information you have nothing right? If you lawfully intercept the RDP you see them write the emails that they send you can go after the victims It's a very effective way to to build a case quickly in my mind So like I'm giving this open source for free so that you can change the world and fix this shit I'm really passionate about that by the way. Sorry Yeah, I guess this leads well into the if the attacker fear getting caught You know they will slow down and this is what this is about it might sound as Irresponsible what we're doing, but it is not because we're there for the good game and we're trying to solve the world's problem or one of them So one more thing, you know Apple style PIDP is open source and we released Three days ago our FQ binary parsing tool. So this FQ is like the JQ for binary files So with this you can you know do analysis at scale on captures that you have So yeah, it's out there if you want to contribute to it We would appreciate it and with that we are done folks You've been you've been generous. You've been amazing. Thank you so much Yeah, we have time for questions. I think do we do we take questions? Five minutes five minutes. All right. Yeah, so I don't know how questions work, but yeah Do people yell or are the microphones? So there's a microphone in the back But if you're willing to yell yell and I'll repeat the question the question is how am I getting around Amazon's abuse policies? They I I told them I'm doing this type of research So all the cloud provider I open a support ticket which I screen-shotted which I printed which I tattooed on me saying I'm gonna do this and Amazon I never got anything from them zero But at the same time if you break broad You you you piss your customers, so I understand they're not doing it, right? And I'm not doing hypervisor level. We're not doing hypervisor level attacks or whatever. It's just RDP So yeah, and it all comes from one IP if you think about it, right? But they know they're not blocking outbound and and yeah So no no harm and it's for research and I am affiliated with a security organization So maybe if you do this under your own name, you could have problems, but I didn't face any Good question by the way this. Oh, I was censored right there. I asked are you working for Amazon? Okay, all right Any other question? Yes, you want to take that. So the question is how long did we did the Collection for how long so the data were collected Over three years, but like the system was not always up. So it's because it wasn't development, right? So it but it's three years of data on and off other questions Yes So he asked for an overview of the FQ tool. So, you know, JQ the it's a like Linter pretifier and a query tool that is using like CSS selectors for JSON stuff So it's basically the same thing using in a very similar language So for binary files like PE's or p-caps or stuff that people provided support. It's really nice So if you if you've used zero one zero editor template Their own they have their own language which allows you to dive into binary files. It's very similar But in a in a scripting way So like like t-shark is for p-caps basically so with this you can say so our when you pass RDP capture in it. It's see it's seen as an array of events So these are and they have types. So there is client information mouse You know display and stuff like that So you could say I want the keyboard events if they match this characteristics list list them out and so for this this is why we could do stuff that we could have like We we want to find credentials in general and then we could provide a list of of Restrictions and so we would get out only that so if you're doing binary Research on any binary stuff at scale like thousands of files and stuff like that super interesting Yes, how big is How big is a file you want to take it? Okay, so because you saw like the large file So we went after like size first But so what's interesting is that if you don't do a lot they're gonna be small the Window is tiled and then compressed but if for example you watch porn not that I encourage that I've never done it myself But it is gonna be huge because you're sending a ton of tiles and the windows cannot cash any of it but if you're using explorer that exe and Like with stuff that windows knows really well and can cash then they are small at some point She was going after the large one and it was I thought that like the large one would be the most interesting one or the longer session and it was only porn So I was like One week of born. I was like I cannot believe I did a PhD to watch porn Born at work, which I had to clear by to HR by the way. I was like she's gonna watch porn But it's research Yeah, but the second week of analysis. It was way better like it's not Yeah, it really depends what they do on the session But they're not so large files and I said I also said like if you're not okay with this We'll find someone else like well, it's not mandatory Cleared myself out of a problem. Yes So the question is what did people worry were people able to identify that we were a honeypot? What's your feeling about this like to to realize that it's fake? Oh so yeah, I There's not much of them realizing anything because of course they like they they connect to their own personal emails and things like that So obviously they do not know but there was one guy at one point one guy or girl at one point that just make a runner a little reconnaissance and then Open the notepad and then write lol and disconnect So I was like, oh, maybe he knows but we are not sure about that Yeah, we're done. Thank you folks. Thank you. It was nice been super generous