SentinelOne VS P2P Remote Desktop (aka P2P RD) – Detection and Forensics

Threat actors often employ various methods to remotely control compromised systems. One widespread technique involves repurposing Commercial Off the Shelf (COTS) tools, initially designed for legitimate use, such as TeamViewer, VNC, and ConnectWise. These tools have been frequently observed in multi-stage cyberattacks.

However, repurposed tools have become less appealing to threat actors due to their noise and ease of detection by modern security measures. To address this, tools like P2P Remote Desktop use UDP connections between pairs of hosts (peers) to establish a connection, enabling message exchange and full remote control of the desktop. UDP (UDT Protocol) potentially allows the tool to bypass firewall rules or other network inspection techniques.

In this demonstration, we launch unique copies of P2P Remote Desktop on two hosts, successfully establishing a Peer-to-Peer connection that includes messaging and desktop control. We also showcase the SentinelOne Singularity™ platform’s ability to detect and prevent this tactic. Furthermore, we demonstrate the extent of visibility provided when tools like P2P Remote Desktop are launched in an environment.

This video highlights the use of unique copies of the P2P Remote Desktop tool and demonstrates that, despite its stealthy approach, it can still be detected by modern and effective endpoint security technologies.