RDP Honeypots Expose the Human Element of Automated Attacks

TLDR: Researchers deployed a global network of RDP honeypots to capture 190 million events, revealing that many RDP attacks are driven by human operators rather than fully automated bots. By using PyRDP, the team intercepted and replayed these sessions to categorize attacker personas ranging from simple script kiddies to sophisticated actors. This research provides actionable intelligence for defenders to identify and block the specific toolsets and behaviors used in these persistent RDP campaigns.

Remote Desktop Protocol remains one of the most reliable entry points for attackers looking to gain a foothold in corporate networks. While most security teams focus on patching vulnerabilities, the reality is that attackers are often already inside, using legitimate administrative tools to move laterally. The recent research presented at Black Hat 2023 by Olivier Bilodeau and Andréanne Bergeron shifts the focus from theoretical exploits to the actual tradecraft observed in the wild. By treating RDP as a high-value target for intelligence gathering, they have mapped out exactly how different classes of attackers interact with compromised systems.

The Mechanics of RDP Interception

The core of this research relies on PyRDP, a man-in-the-middle tool that allows for the interception, recording, and even real-time manipulation of RDP sessions. Unlike standard logging, which might capture a failed login attempt, PyRDP provides a full visual and keystroke-level audit of what an attacker does once they gain access.

During the engagement, the researchers deployed a global network of Windows-based honeypots. By firewalling these systems to only allow traffic from their interception layer, they ensured that every interaction was captured. The resulting dataset of 190 million events is not just a collection of noise; it is a behavioral map. When an attacker connects, the tool records the session, allowing the researchers to replay the activity later to identify the specific tools being deployed. This is critical because it moves beyond static indicators of compromise like file hashes, which are easily rotated, and focuses on the TTPs (Tactics, Techniques, and Procedures) that define an attacker's workflow.

Categorizing the Attacker Personas

The researchers identified five distinct attacker classes, each with a unique approach to monetization and persistence.

• Rangers: These are the scouts. They explore the system, check performance characteristics, and run reconnaissance scripts. They rarely perform destructive actions, suggesting they are often evaluating the system for sale to other threat actors.
• Thieves: These actors are purely focused on monetization. They deploy tools like Gammadyne Mailer for spam campaigns or set up cryptominers. Their goal is to extract immediate value from the compute resources.
• Barbarians: These are the brute-force specialists. They utilize tools like NLBrute to compromise additional systems. They are aggressive and noisy, often working with massive lists of credentials.
• Wizards: The most dangerous group. They are fileless, highly skilled, and use native tools to maintain persistence. They jump through multiple hosts to obfuscate their origin, making them incredibly difficult to track.
• Bards: These are the least sophisticated actors. They often lack basic hacking skills, using the system for personal tasks like browsing or watching videos. They likely purchased their access from an initial access broker.

Technical Tradecraft and Tooling

The research highlights a fascinating reliance on specific, often "cracked," tooling. For instance, the use of Masscan for rapid internet-wide scanning is a staple for the Barbarian class. When combined with a GUI wrapper, it becomes a turn-key solution for attackers who lack the technical depth to manage complex command-line operations.

One of the most striking findings is the use of DefenderControl to disable security features. This tool is frequently used by Thieves and Rangers to ensure their malicious payloads are not flagged by Windows Defender. The fact that these tools are widely available and often bundled with malware suggests that the barrier to entry for RDP-based attacks is lower than many organizations assume.

For a pentester, this research is a goldmine. It provides a clear picture of what "normal" attacker behavior looks like in an RDP session. If you are conducting an internal assessment, you should be looking for these specific patterns: unauthorized RDP sessions that originate from unexpected jump hosts, the presence of known brute-forcing tools in temporary directories, and the systematic disabling of security services.

Defensive Strategies

Defending against these threats requires more than just strong passwords. Organizations must implement robust monitoring that goes beyond simple authentication logs. If you are a defender, you need to be looking for the TTPs identified in this research. This includes monitoring for the execution of known offensive tools, tracking unusual RDP session durations, and implementing strict egress filtering to prevent compromised systems from participating in botnets or cryptomining operations.

The most effective defense is to assume that RDP access will eventually be compromised. By implementing Zero Trust principles and ensuring that RDP is never exposed directly to the internet, you significantly raise the cost of attack. If you must use RDP, ensure it is behind a VPN or a secure gateway that requires multi-factor authentication.

Ultimately, this research proves that visibility is the best deterrent. When attackers know they are being watched, their behavior changes. By deploying your own traps and monitoring for the specific tradecraft outlined by the researchers, you can force attackers to reveal themselves, turning their own persistence mechanisms against them. The next time you see an RDP connection, ask yourself: is this an admin, or is this a Ranger just waiting for the right moment to pivot?