SOC Challenge/Day 27-Investigate RDP Brute Force Attacks

tarih:

Day 27 - Investigate RDP Brute Force Attacks

1. Introduction

1.1 What is this guide about?

This guide focuses on the investigation of RDP (Remote Desktop Protocol) brute force attacks. It outlines how to identify, analyze, and respond to such attacks using alarms, queries, and logs. The goal is to create a repeatable process for detecting and mitigating these threats, ensuring a proactive security posture.

1.2 What does it try to solve or mitigate?

The guide aims to:

  • Detect and Mitigate Unauthorized Access Attempts: RDP is a common attack vector, often exploited by brute force attacks to gain access to critical systems. This guide focuses on identifying these attacks promptly.
  • Improve Incident Response: By following a structured methodology, security teams can react quickly to detected events, minimizing damage.
  • Streamline Reporting and Documentation: Integration with tools like osTicket helps ensure incidents are tracked and documented effectively for future analysis.

1.3 What caused the need for this guide?

  • Increasing Use of RDP by Attackers: As remote work increases, attackers are increasingly targeting RDP to gain unauthorized access to networks.
  • Rising Frequency of Brute Force Attacks: Organizations face continuous attempts from malicious IPs scanning for open RDP services.
  • Compliance Requirements: Many industries require the documentation and investigation of security incidents to meet regulatory or operational standards.

2. Investigation of Brute Force Alarm

2.1 Alarm Details

  • IP Address: 203.112.77.198
  • User: Administrator

2.2 Is this IP known to be malicious or associated with brute force attacks?

  • ApuseIPDB:

    • Result: 203.112.77.198 was found in the database.
    • Reports: Reported 39 times.
    • Abuse Confidence: 75%.

  • GreyNoise:

    • Identified as an IP performing opportunistic scanning.
    • Risk: Not considered a threat to our organization.

  • Answer: Yes.

2.3 Are there any other users affected by this IP?

  • Answer: No. Only the Administrator account was targeted.

2.4 Were there any successful logins?

  • Answer: No.

2.5 What activity followed the successful login?

  • Answer: None, as there were no successful logins.

# Integrating the RDP Alarm into osTicket

  • Implementation:
    • The RDP alarm was integrated into osTicket similarly to how the SSH alarm was configured.

3. Investigation of Our Brute Force Activity Using Kali Linux

3.1 Target Details

  • Target: Administrator account and IP Address

3.2 Is this IP known to perform brute force activity?

  • Answer: No.

3.3 Were there other users affected by this activity?

  • Answer: Yes. Both the root and Administrator accounts were targeted.

3.4 Were any of the attempts successful?

  • Answer: Yes.

3.5 What happened after the successful login?

  • Query:

    • IP AND Administrator AND event.code: 4624 (logon successful)

  • Process:

    • From the query results, we identified logonID values.
    • We searched for the corresponding login and logoff events related to those logonIDs.
    • After testing several logonIDs, we pinpointed the relevant logs.

3.6 Timeline of Events

  • Login Start: October 3, 2024, @ 07:41:29.396 GMT
  • Potential Logoff Time: October 3, 2024, @ 08:40:26.802 GMT

3.7 What actions took place during the session?

  • (Further investigation needed to determine specific activities.)

4. Conclusion

4.1 RDP Alarm Ticket Setup

  • We completed the configuration to generate tickets for RDP alarms.

4.2 Brute Force Investigation Summary

  • We analyzed an RDP alarm according to the investigation methodology.
  • We identified the time window during which our own brute force attack (using Kali Linux) occurred.

4.3 Future Steps

  • I will further investigate the activities that took place during our own brute force attack.

Yorumlar

Yorum Gönder