Analyzing Windows Remote Desktop Hacking Through Honeypot Data
Prof. Andreanne Bergeron
Prof. Andréanne Bergeron’s research on Remote Desktop Protocol attacks examines the underground ecosystem that forms when attackers gain remote access to compromised computers. Using honeypot data, her work looks beyond individual incidents to understand how threat actors are connected, how access to compromised systems may be bought and sold, and what attacker behaviour reveals about broader cybercrime networks.
The project analyzed 2,390 recorded sessions of real attackers, representing more than 100 hours of footage. After cleaning the data, the study identified 429 unique attacker nodes and nearly 100,000 pairwise connections. Prof. Bergeron and her team built a weighted network based on spatiotemporal proximity, technological similarity, and behavioural similarity, then used community detection to identify four distinct attacker clusters with different profiles, including shared devices, obfuscation techniques, timing and subnet patterns, and attacking tools.
The findings suggest that while the overall attacker network is loosely connected, certain clusters show strong signs of coordination. Behavioural fingerprints, especially shared tactics, proved especially useful for identifying relationships between attackers and were more revealing than geography or infrastructure alone. For defenders, law enforcement, and cybersecurity teams, the work highlights the importance of studying attacker networks rather than treating attackers as isolated individuals, and it points to the value of behavioural detection, threat intelligence sharing, and more targeted disruption strategies.