How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
Detecting a brute-force attack on RDP involves monitoring authentication logs for patterns of repeated login attempts and correlating data from various sources to confirm malicious activity.
1. Monitor for Multiple Failed Login Attempts
What to Look For:
Failed Login Attempts: Review Windows Security Event logs for repeated failed login attempts logged as Event ID 4625.
High Frequency: Focus on a high number of failures within a short period originating from the same IP address or targeting the same account.
Analysis Tip: Define a threshold for failed attempts (e.g., 10-20 failures within a minute) to identify potential brute-force activity.
2. Examine Logon Success Following Failures
What to Look For:
Successful Logins: Look for a successful login (Event ID 4624) immediately following a series of failed attempts.
Pattern Detection: A successful login after multiple failures often indicates that an attacker has successfully guessed valid credentials.
Red Flags: Accounts with unusual login times or originating from new or foreign IP addresses.
3. Identify Unusual Source IP Addresses
What to Look For:
Foreign or Unexpected IPs: Check the source IP addresses associated with login attempts. Investigate IPs originating from:
Foreign countries.
Regions not typically associated with your organization.
Geolocation Analysis: Correlate IP addresses with geolocation data to identify suspicious sources.
Analysis Tip: Monitor for IP addresses that repeatedly attempt to access multiple accounts, as this suggests a brute-force strategy.
4. Analyze Account Lockout Events
What to Look For:
Account Lockouts: Review logs for Event ID 4740, which records account lockout events caused by too many failed login attempts.
Targeted Accounts: Identify accounts experiencing frequent lockouts, as this indicates they are likely being targeted by an attack.
Impact: Frequent lockouts can disrupt legitimate users and indicate an ongoing brute-force attempt.
5. Correlation with Firewall Logs
What to Do:
Compare Logs Across Systems: Correlate failed login attempts with firewall logs to determine if the same IP address is targeting other services (e.g., SSH, FTP).
Broader Attack Detection: Identify patterns of scanning or access attempts across your network.
Benefit: This correlation can reveal whether the attack is isolated to RDP or part of a broader network intrusion attempt.
6. Automate Detection with SIEM
What to Implement:
Threshold-Based Alerts: Configure your SIEM to trigger alerts when a specific number of failed login attempts is detected within a set timeframe (e.g., 10 failures in 1 minute).
Behavioral Correlation: Combine failed login attempts, account lockouts, and unusual IP patterns into a single detection rule.
Tools to Use: Popular SIEM solutions like Splunk, QRadar, or ELK can provide real-time monitoring and automated alerts.
7. Response Actions
Immediate Steps:
Block IP Addresses: Use firewall or security tools to block the offending IPs immediately.
Enforce Account Lockout Policies: Set thresholds for account lockouts to disrupt brute-force attempts and protect user accounts.
Implement Multi-Factor Authentication (MFA): Require MFA for all RDP logins to make brute-force attacks significantly harder.
Ensure Strong Passwords: Audit and enforce policies for strong, complex passwords to reduce the likelihood of success.
Long-Term Measures:
Harden RDP Configuration: Restrict access to RDP using VPNs, allowlisting IPs, or placing RDP behind a secure gateway.
Monitor for Retaliation Attempts: Attackers often pivot to other methods after a brute-force attempt is blocked, so ensure comprehensive monitoring of your environment.
Conclusion
By systematically analyzing authentication logs, correlating with network and firewall data, and leveraging automated detection tools, organizations can effectively detect and respond to brute-force attacks on RDP. Proactive measures like MFA and strong password policies significantly reduce the risk of successful attacks.
Last updated