Hunting for Hidden RDP-MITM: Analyzing and Detecting RDP MITM Tools Based on Network Features.

Remote Desktop Protocol (RDP) is commonly used for remote access to windows computers. As more and more people work remotely, the number of users of RDP is increasing, making RDP a growing concern in cybersecurity. The latest way to threaten RDP security is RDP man-in-the-middle (MITM) tools which realize the MITM function in an RDP connection and automate the MITM attack process, significantly reducing the difficulty of network attacks. At the same time, RDP MITM tools can be used for high-interaction RDP honeypots. In order to mitigate this risk, we present the first in-depth study of RDP MITM tools in this paper. By analysis and experiment, we identify network features that can be used to detect RDP MITM tools effectively. Based on packet latency and TLS handshake, we propose a machine learning classifier that can detect RDP MITM tools for securing RDP connections. Finally, we analyze the deployment of RDP MITM tools in the wild and effectively measure the RDP MITM tools using our proposed detection approach.