search
LinkedinTryHackme

Detecting RDP Brute Force Attacks

hashtag
Overview

RDP brute force attacks involve repeated login attempts to an RDP session, exploiting weak or default passwords to gain access. This guide walks through the steps to detect such attacks using Splunk and Zeek logs.

hashtag
Setting Up Detection Query

This Splunk query helps to identify potential RDP brute force activity by analyzing Zeek logs and flagging IP addresses with a high number of RDP connection attempts over a short period.

hashtag
Query Explanation

  1. Index and Sourcetype:

    • Filter for the RDP brute force data by specifying index="rdp_bruteforce" and sourcetype="bro:rdp:json".

  2. Time Binning:

    • The bin command groups the events into 5-minute intervals, which helps in identifying bursts of login attempts typical in brute force scenarios.

  3. Counting and Grouping:

    • The stats command counts the number of connection attempts per IP address pair (id.orig_h as the source IP and id.resp_h as the destination IP) in each 5-minute period.

  4. Threshold Filtering:

    • The where count>30 condition filters events where there are more than 30 connection attempts in a 5-minute window from a source IP to a destination IP, which may indicate brute force activity.

hashtag
Splunk Query

index="rdp_bruteforce" sourcetype="bro:rdp:json"
| bin _time span=5m
| stats count values(cookie) by _time, id.orig_h, id.resp_h
| where count > 30

hashtag
Field Descriptions

  • index="rdp_bruteforce": Filters events to the RDP brute force index.

  • sourcetype="bro:rdp:json": Specifies that the events are in JSON format, generated by Zeek for RDP traffic.

  • bin _time span=5m: Groups events into 5-minute intervals.

  • stats count values(cookie) by _time, id.orig_h, id.resp_h:

    • count: Counts the number of RDP connections from a source to a destination IP within each time bin.

    • values(cookie): Lists unique session cookies, useful for tracking session attempts.

    • _time, id.orig_h, id.resp_h: Groups results by time, source IP (id.orig_h), and destination IP (id.resp_h).

  • where count > 30: Identifies periods with over 30 connection attempts, a threshold suggesting possible brute force activity.

hashtag
Interpretation of Results

  • High Count Events: Any source IP (id.orig_h) with over 30 connection attempts to a destination IP (id.resp_h) within a 5-minute window may indicate a brute force attempt.

  • Session Cookies: Multiple unique cookie values indicate separate login sessions, supporting the detection of brute force patterns.

hashtag
Using Additional Filters (Optional)

To further refine results, additional filters like the following can help focus on suspicious activity:

  • Time of Day Filtering: RDP attacks may occur outside normal business hours.

  • Specific Usernames: Monitoring specific usernames can help identify if certain high-value accounts are targeted.

PreviousCreating Custom Splunk ApplicationsNextDetecting Beaconing Malware

Last updated