Welcome to the Jumble: Improving RDP Tooling for Malware Analysis and Pentesting
2019-05-16, 14:15–15:15, Conf 1

PyRDP, the open-source RDP man-in-the-middle, allows complete interception of Remote Desktop sessions. This opens the door for new techniques in malware research and pentesting.

The RDP protocol has a wide variety of interesting features, yet no tool supported the complexity of the RDP protocol for information security purposes. Inspired by RDPY, we created PyRDP, an open-source general-purpose RDP man-in-the-middle tool. This presentation will cover use cases for PyRDP in malware research and pentesting.

First, we added new features to our project to help with malware research. One crucial feature is the ability to rewrite the username and password sent to the server. This is used to allow access to the target RDP server to anyone using any credentials, which maximizes hostile interactions. Our tool also saves full RDP sessions to disk as well as clipboard content and files transferred during the sessions. Having session replays allows us to extract tactics, techniques and procedures (TTPs) from malicious actors. By using our tool and pointing it to a real RDP server, we created a fully interactive honeypot and caught a malware actor in the act.

We will do a demonstration of these features and show replays of the malware actor we caught.

Second, in a corporate environment, RDP is oftentimes used by high-privilege user accounts to manage Active Directory, servers, users' workstations and more. Using RDP is so ingrained in day-to-day tasks that users stop thinking about the potential consequences of connecting to random machines.

We will present PyRDP's use cases in pentesting engagements and propose an approach to compromising high-privileged accounts. A man-in-the-middle in an RDP context can be used to capture credentials, but it can do more. Instead of reusing the credentials to launch another connection, attackers can interactively hijack the existing connection and disguise their actions as coming from the victim. Additionnally, it can lead to the partial compromise of the client machine by abusing features such as drive redirection to enumerate and download sensitive files. PyRDP can also be used to challenge the incident response process by attracting the incident response team to a machine and capturing their credentials as they connect. Finally, the replay files produced by PyRDP can be used to demonstrate the impact of compromise to high-level executives.

The talk will cover these attack scenarios in depth and will end with a short demo of the open-source tool and its capabilities.

A student at the École de Technologie Supérieure (E. T. S.), Francis has discovered an interest for information security at the start of his undergraduate studies. He has worked as an intern for Desjardins's ETTIC team and GoSecure. He has also given workshops for Montrehack and DCIÉTS, and has been a finalist in popular CTF events like Hack in Paris, CSAW and DefCamp.

Émilio is an undergraduate student from Université de Sherbrooke (UdeS). He discovered a passion for cybersecurity two years ago, which lead him to break his promise of trying three different fields during his internships and instead taking only cybersecurity-related internships at the Canadian Cyber Incident Response Center (formerly CCIRC, now CCCS)'s malware analysis team, GoSecure's R&D team and Desjardins' threat hunting team.

President of JDIS, UdeS' computer science student organization, Émilio likes to make things happen, let it be CTFs, AI competitions, conferences, workshops or making every developper understand that tab is the superior indentation character (work in progress).