BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: I Watched You Roll the Die: Unparalleled RDP Monitor ing Reveal\n Attackers Tradecraft\n When: Friday\, Aug 11\, 11:30 - 12 :15 PDT\n Where: Caesars Forum - Forum - 105\,135\,136 - Track 1 - [1]Ma p\n Speakers:Andréanne Bergeron\,Olivier Bilodeau\n\n SpeakerBio:Andr éanne Bergeron \, Cybersecurity Researcher at GoSecure\n Andréanne Berg eron has a Ph.D. in criminology from the University of\n Montreal and wo rks as a cybersecurity researcher at GoSecure. Acting\n as the social an d data scientist of the team\, she is interested in\n online attackers†™ behaviors. She is an experienced presenter with\n over 38 academic con ferences and is now focusing on the infosec field.\n She has presented a t BSides Montreal\, NorthSec\, CypherCon and Human\n Factor in Cybercrim e amongst others.\n Twitter: [2]@AndreanBergeron\n\n SpeakerBio:Olivie r Bilodeau \, Cybersecurity Research Director at\n GoSecure\n Olivier Bilodeau leads the Cybersecurity Research team at GoSecure.\n With more than 12 years of infosec experience\, he enjoys luring\n malware operato rs into his traps and writing tools for malware\n research. Olivier is a passionate communicator having spoken at\n several conferences includin g BlackHat USA/Europe\, Defcon\, Botconf\,\n Derbycon\, and HackFest. In vested in his community\, he co-founded\n MontréHack\, is the President of NorthSec and host its Hacker Jeopardy.\n Twitter: [3]@obilodeau\n\n Description:\n The Remote Desktop Protocol (RDP) is a critical attack v ector used by\n evil threat actors including in ransomware outbreaks. To study RDP\n attacks\, we created PyRDP\, an open-source RDP interceptio n tool with\n unmatched capabilities which helped us collect more than 1 00 hours of\n video footage of attackers in action.\n\n To describe at tackers’ behaviors\, we characterized the various\n archetypes of thre at actors in groups based on their traits through a\n Dungeon & Dragons analogy: 1) the Bards making obtuse search or watch\n unholy videos\; 2) the Rangers stealthily explore computers and perform\n reconnaissance\; 3) the Thieves try to monetize the RDP access\; 4)the\n Barbarians use a large array of tools to brute-force their way into\n more computers\; and 5) the Wizardsuse their RDP access as a magic\n portal to cloak thei r origins. Throughout\, we will reveal the\n attackers’ weaponry and s how video recordings of interesting\n characters in action.\n\n This p resentation demonstrates the tremendous capability in RDP\n interception for research benefitsand blue teams: extensive\n documentation of oppor tunistic attackers’ tradecraft. An engineer\n and a crime data scienti st partner to deliver an epic story that\n includes luring\, understandi ng and characterizing attackers which\n allows to collectively focus our attention on the more sophisticated\n threats.\n\n REFERENCES\n\n T he tool:\n [4]https://github.com/GoSecure/pyrdp/ an extensive rewrite of \n Citronneur’s RDPy\n\n Building on our own work:\n RDP Man-in-th e-Middle - Smile! You're on Camera - GoSecure [5]https://www.youtube.com/w atch?v=eB7RC9FmL6Q\n\n Slides - Google Slides\n PyRDP Demo with Sessio n Takeover - YouTube PyRDP Demo with a Payload\n on Connection - YouTube [6]https://docs.google.com/presentation/d/1UAiN2EZwDcmBjLe_t5HXB0LzbNclU3 nnigC-XM4neIU/edit?usp=sharing\n [7]https://docs.google.com/presentation /d/1UAiN2EZwDcmBjLe_t5HXB0LzbNclU3nnigC-XM4neIU/edit?usp=sharing\n PyRDP on Autopilot - Unattended Credential Harvesting and Client-Side\n File Stealing - GoSecure Announcing PyRDP 1.0 - GoSecure\n DEF CON Safe Mode Demo Labs - Olivier Bilodeau - PyRDP - YouTube\n Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To\n Guide - GoSecure Cracki ng 2.3M Attackers-Supplied Credentials: What\n Can We Learn from RDP Att acks - GoSecure A New PyRDP Release: The\n Rudolph Desktop Protocol! - G oSecure The Level of Human Engagement\n Behind Automated Attacks - GoSec ure Never Connect to RDP Servers Over\n Untrusted Networks - GoSecure\n\ n Building on scientific articles:\n\n [1] Cybersecurity & Infrastruct ure Security Agency (2020). Alert\n (AA20-099A). Retrieved from. [8]http s://www.cisa.gov/uscert/ncas/alerts/aa20-099a\n [2] Cox\, O. (2021). Rem ote Desktop Protocol (RDP) attack analysis.\n Darktrace. Retrieved from: [9]https://darktrace.com/blog/remote-desktop-protocol-rdp-attack-analysis #:~:text=Remote%20Desktop%20Protocol%20(RDP)%20is\,have%20been%20around%20 for%20years.\n [3] UK’s National Cyber Security Centre (2021). Alert: Further\n ransomware attacks on the UK education sector by cyber crimina ls.\n Retrieved from : [10]https://www.ncsc.gov.uk/news/alert-targeted-r ansomware-attacks-on-uk-education-sector\n [4] Tian\, Z. et al. (2018). A Real-Time Correlation of Host-Level\n Events in Cyber Range Service fo r Smart Campus. IEEE Access\, 6\, pp.\n 35355-35364. DOI: 10.1109/ACCESS .2018.2846590. [5] Sinitsyn\, F.\n (2017). Kaspersky Security Bulletin: STORY OF THE YEAR 2017. Retrieved\n from: [11]https://securelist.com/ksb -story-of-the-year-2017/83290/ [6]\n DraÅ¡ar\, M.\, Jirsík\, T.\, & Vizv áry\, M. (2014). Enhancing Network\n Intrusion Detection by Correlation of Modularly Hashed Sketches. 8th\n IFIP International Conference on Aut onomous Infrastructure\, Management\n and Security (AIMS). Proceedings 8 (pp. 160-172). Springer Berlin\n Heidelberg. [7] Alata\, E.\, Nicomette \, V.\, Kaaniche\, M.\, Dacier\, M.\, &\n Herrb\, M. (2006). Lessons lea rned from the deployment of a\n high-interaction honeypot. Sixth Europea n Dependable Computing\n Conference\, Coimbra\, Portugal\, pp. 39-46\, D OI: 10.1109/EDCC.2006.17.\n [8] Udhani\, S.\, Withers\, A.\, & Bashir\, M. (2019). Human vs bots:\n Detecting human attacks in a honeypot enviro nment. 7th International\n Symposium on Digital Forensics and Security ( ISDFS) (pp. 1-6). IEEE.\n [9] Bilodeau\, O. (2022). PyRDP: Python Remote Desktop Protocol (RDP)\n Monster-in-the-Middle (MITM) tool and library. Tool Access from: [12]https://github.com/GoSecure/pyrdp\n [10] Gatlan\, S. (2022). Windows 11 now blocks RDP brute-force attacks\n by default. Bleeping Computer\, [13]https://www.bleepingcomputer.com/news/microsoft/wi ndows-11-now-blocks-rdp-brute-force-attacks-by-default/\n [11] Seifert\, C. (2006). Analyzing Malicious SSH Login Attempts.\n Symantec Connect C ommunity. Retrieve from: [14]https://www.symantec.com/connect/articles/ana lyzing-malicious-sshlogin-attempts\n\n '\n\n 1. #CaesarsForumBR\n 2. https://twitter.com/AndreanBergeron\n 3. https://twitter.com/obilodeau\ n 4. https://github.com/GoSecure/pyrdp/\n 5. https://www.youtube.com/w atch?v=eB7RC9FmL6Q\n 6. https://docs.google.com/presentation/d/1UAiN2EZw DcmBjLe_t5HXB0LzbNclU3nnigC-XM4neIU/edit?usp=sharing\n 7. https://docs.g oogle.com/presentation/d/1UAiN2EZwDcmBjLe_t5HXB0LzbNclU3nnigC-XM4neIU/edit ?usp=sharing\n 8. https://www.cisa.gov/uscert/ncas/alerts/aa20-099a\n 9. https://darktrace.com/blog/remote-desktop-protocol-rdp-attack-analysis# :~:text=Remote%20Desktop%20Protocol%20\n 10. https://www.ncsc.gov.uk/new s/alert-targeted-ransomware-attacks-on-uk-education-sector\n 11. https:/ /securelist.com/ksb-story-of-the-year-2017/83290/\n 12. https://github.c om/GoSecure/pyrdp\n 13. https://www.bleepingcomputer.com/news/microsoft/ windows-11-now-blocks-rdp-brute-force-attacks-by-default/\n 14. https:// www.symantec.com/connect/articles/analyzing-malicious-sshlogin-attempts\n\ n\n DTEND:20230811T191500Z DTSTART:20230811T183000Z LOCATION:DC - Caesars Forum - Forum - 105\,135\,136 - Track 1 SUMMARY:I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Atta ckers Tradecraft END:VEVENT END:VCALENDAR