| ID | Technique | Tactic |
|---|---|---|
| T1110.001 | Password Guessing | Credential Access |
Detection: Windows Remote Desktop Network Bruteforce Attempt
Description
The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
Search
1
2| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime values(Al_Traffic.action) as action from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port All_Traffic.user All_Traffic.vendor_product
3| `drop_dm_object_name("All_Traffic")`
4| eval duration=lastTime-firstTime
5| where count > 10 AND duration < 3600
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `windows_remote_desktop_network_bruteforce_attempt_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 3 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_remote_desktop_network_bruteforce_attempt_filter | search * |
windows_remote_desktop_network_bruteforce_attempt_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 13
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
You must ensure that your network traffic data is populating the Network_Traffic data model. Adjust the count and duration thresholds as necessary to tune the sensitivity of your detection.
Known False Positives
RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.Any legitimate RDP traffic using wrong/expired credentials will be also detected as a false positive.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
$dest$ may be the target of an RDP Bruteforce from $src$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 25 | src |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2