Welcome to the Jumble: Improving RDP Tooling for Malware Analysis and Pentesting

Back to the list of Speakers and Sessions
PyRDP, the open-source RDP man-in-the-middle, allows complete interception of Remote Desktop sessions. This opens the door for new techniques in malware research and pentesting.

The RDP protocol has a wide variety of interesting features, yet no tool supported the complexity of the RDP protocol for information security purposes. Inspired by RDPY, we created PyRDP, an open-source general-purpose RDP man-in-the-middle tool. This presentation will cover use cases for PyRDP in malware research and pentesting.

First, we added new features to our project to help with malware research. One crucial feature is the ability to rewrite the username and password sent to the server. This is used to allow access to the target RDP server to anyone using any credentials, which maximizes hostile interactions. Our tool also saves full RDP sessions to disk as well as clipboard content and files transferred during the sessions. Having session replays allows us to extract tactics, techniques and procedures (TTPs) from malicious actors. By using our tool and pointing it to a real RDP server, we created a fully interactive honeypot and caught a malware actor in the act.

We will do a demonstration of these features and show replays of the malware actor we caught.

Second, in a corporate environment, RDP is oftentimes used by high-privilege user accounts to manage Active Directory, servers, users' workstations and more. Using RDP is so ingrained in day-to-day tasks that users stop thinking about the potential consequences of connecting to random machines.

We will present PyRDP's use cases in pentesting engagements and propose an approach to compromising high-privileged accounts. A man-in-the-middle in an RDP context can be used to capture credentials, but it can do more. Instead of reusing the credentials to launch another connection, attackers can interactively hijack the existing connection and disguise their actions as coming from the victim. Additionnally, it can lead to the partial compromise of the client machine by abusing features such as drive redirection to enumerate and download sensitive files. PyRDP can also be used to challenge the incident response process by attracting the incident response team to a machine and capturing their credentials as they connect. Finally, the replay files produced by PyRDP can be used to demonstrate the impact of compromise to high-level executives.

The talk will cover these attack scenarios in depth and will end with a short demo of the open-source tool and its capabilities.