Hunting Down 1 Second Logins

Recently, my team and I worked several incidents where folks had exposed Terminal Servers directly to the Internet. (Don’t do this!) Even worse, many of these systems had a significant lack of proper password controls. As you might expect, within a few days, they were compromised by remote attackers using password brute force tools. But, this article isn’t really about that…

While investigating these incidents, a pattern emerged which we thought was interesting. Once the attacker’s tool correctly guessed the password, there was a one-second login to the system. No other activity occurred during these initial sessions. Simply a successful login and immediately a logoff, was all that happened. Once we knew this, we began to apply the heuristic across the different systems involved in this scenario, and it worked as a great tool for finding and creating compromise timelines.

Then we got curious. So, we came back to the lab, and began testing several common password brute force tools, credential stuffing scripts from around the web and a few other common attacker tools that perform similar types of scans for known common passwords. We tested them against Terminal Server/RDP, VNC, VPN exposures, telnet, SSH, several web platforms and a variety of applications.

To our astonishment, a majority of these tools and scripts duplicated that behavior on…