A case study of unauthorized login attempts against honeypots via remote desktop

Abstract:  Remote service software is typically used to establish a connection to an asset on another network. There are a variety of services depending on which asset needs to be accessed and whichinformation needs to be transferred. One of these is Remote Desktop Protocol (abbreviatedRDP), a communication protocol that allows clients to connect to another computer over anetwork. Microsoft developed The protocol and introduced it in their operating systems inthe late 90s. The most common authorization method is by using credentials. These can becreated locally on the host or managed centrally via Kerberos / Active Directory.RDP is an attack surface that is heavily exposed. There are several vulnerabilities against thisprotocol. One is the possibility of eavesdropping on credentials. However, the most commonreason intrusions occur via RDP is not because malicious actors have obtained the credentialsvia eavesdropping. They have managed to guess those with a dictionary- or brute force attack.This observational study was performed with three honeypots that were exposed to attacksvia remote desktop for 37 days. More than 120,000 login attempts were recorded and the firstattempts occurred within 24 hours. One of the research questions being studied is how availability is affected for an asset that is applied with a login rate limit. As this kind of control canbe abused and exploited as a denial of service attack.One of the honeypots was configured with "Account Lockout Policy" which is an integratedfeature into the Microsoft Windows operating system. The policy was configured according toMicrosoft’s recommendation. The results show that the brute force attacks had a small impacton the availability. However, this is mainly due to the fact that the most active malicious actorsdid not target the administrator’s account in their attempts to gain access. If they had chosento do so, availability would have been significantly more affected.Another honeypot was configured to use a non-standard port for the remote service, to studywhether attacks can be avoided by trying to hide that the service is active and available. Thisturned out, not to be a good security enhancement as the remote service on this honeypotwas discovered after 15 days and login attempts were conducted by several different actors.Previous research on attacks against the remote desktop has shown that this is an attractivetarget and a common attack surface. The results of this study support and confirm this.