CypherCon 2023

Are they human or scripts? The level of human involvement behind RDP brute-force attacks

Andréanne Bergeron, Ph.D


Differentiating the behavior of an automated attack versus a human online has proven to be  useful to develop adequate protection and to prevent attacks. In the case in which human and automated attacks are implicated, understanding their different behavior helps adapt and prevent more attacks. Launching a script with thousands of credentials combination in a “spraying and praying” fashion is low in time and energy consumption. But when humans are more engaged in attacks, they suddenly become a lot more sophisticated and therefore dangerous.
The objective of this study is to identify and describe the aspects pointing towards the level of involvement of humans in automated attacks. To do so, we launched high-interaction honeypots on the Internet. We collected and analyzed over 3.4 million connections attempts that supplied hashed credentials over a period of 3 months. With over 95% success rate in cracking these hashes, our team was able to identify different attack strategies.
In the sample, we witness attacks adapting to the target by using, for example, variations on the server’s RDP certificate name in the credentials. We also notice huge sequences of attacks showing the presence of heavily automated attacks. There are as well delays introduced to avoid detection. The five following profiles will be presented: (1) The foragers searching at large; (2) the credential farm with human intervention; (3) sophisticated automation with imposed delays; (4) Over-killed delayers with almost no human intervention; (5) script-kiddies with short list of credentials.
Understanding and characterizing attackers allow us to get close to reveal their identity. This will hopefully contribute to give them cold feet as they will have to change their practices. The ultimate objective of our work is to increase the cost of attackers and knowing who they are and how they proceed is one step further in this direction.

Importance: This talk is based on a really unique set of data using PyRDP collected from malicious actors’ supplied credentials of our honeypots. The wide quantity of data allows us to illustrate the different types of attackers and the differentiation of those strategies is very important to develop adequate protection. Communicating the findings as well as discussing the mitigation strategies is primordial and giving this talk to the infosec community will allow the beginning of the discussion.

Moreover, by understanding malicious actors’ behavior, we can eventually prevent more attacks. The ultimate objective of our work is to understanding and characterizing attackers to allow us to get closer to reveal their identity. They will have to change their practices and therefore it increases the attacker’s cost.

Andréanne Bergeron, Ph.D


Andréanne Bergeron has a Ph.D. in criminology from Montreal University and works as a cybersecurity researcher at GoSecure. Acting as the social scientist of the team, she is interested in online attackers’ behaviors. She is an experienced presenter with over 38 academic conferences and is now focusing on the infosec field. She has presented at BSides Montreal, NorthSec and Human Factor in Cybercrime.