3-Step RDP Honeypot: Introduction
This series is related to setting up a pre-authentication honeypot, meaning we will be capturing and sharing information about pre-authentication attempts to connect to our system. Stay tuned for a series on post-authentication honeypots, where we let threat actors authenticate and execute malicious payloads.
The remote desktop protocol is one of the most popular services found within an IT environment. While this is a very convenient method for accessing and managing systems for administrators, it is a large target for threat actors. Millions of internet facing systems leverage remote desktop, and expose the port to external sources. This means, at the least, these systems are subject to mass scanning and authentication attempts from all across the internet.
Visibility is the name of the game in information security, and one way we can learn more about the risks to these internet facing remote desktop services is to attract and capture requests from bots, malicious actors, and other threats targeting this service.
This mini-series will walk thru the process of setting up a remote desktop honeypot, capturing requests to the service, processing the captured data, and operationalizing it for internal or external consumption. In our case, we will implement this plan with the following steps:
- Stand up our honeypot, on a cloud hosted instance, capturing full PCAP data on port 3389.
- Setting up Moloch to process our PCAP data on a separate instance.
- Building a bot to extract IOCs from Moloch and share with the community through Twitter and Pastebin.
This process is tested and operational, resulting in the RDPSnitch Twitter bot, sharing daily IP addresses, usernames, and ASN organization information captured by our honeypot.
As we release each step of the blog series, we will update this post to include the respective links. Stay tuned!
Post 1:
Part 2:
Part 3:
