Home/ Labs/ RDP Brute Force Detection
Intermediate SOC IR Windows

RDP Brute Force Detection

โฑ 60โ€“90 minutes
๐ŸŽฏ Intermediate
๐Ÿ“ฅ VirtualBox OVA
๐Ÿ”ง Splunk, Windows Server 2019

An attacker is hammering a Windows Server with RDP login attempts. Detect the brute force, identify the successful login, trace lateral movement, and build a Splunk detection rule.

๐Ÿงช Lab Description

This intermediate lab places you inside an active incident. A Windows Server 2019 system is under RDP brute force attack from an external IP. You'll use Windows Security Event Logs (Event ID 4625, 4624, 4776) forwarded to Splunk to detect the attack, identify the attacker's foothold, and trace their post-compromise actions.

You'll finish by writing a Splunk detection rule that would have caught this attack โ€” a real-world deliverable SOC analysts produce during incident response.

๐ŸŽฏ Learning Objectives

  • Detect RDP brute force attacks using Windows Security Event Logs
  • Identify critical Event IDs: 4625 (failed login), 4624 (successful login), 4776
  • Build SPL queries to identify attacker IP, timing, and success/failure ratio
  • Trace lateral movement after initial RDP compromise
  • Write a Splunk saved search / alert rule for this attack pattern
  • Create a basic incident response timeline

๐Ÿ“‹ Prerequisites

  • Completion of SOC Alert Triage lab (recommended)
  • Basic Splunk SPL knowledge (index, stats, where, sort)
  • Understanding of Windows authentication basics
  • VirtualBox 6.1+ with 8GB RAM available for VM

๐Ÿ“ Scenario

Alert received: 2024-11-18 02:47:11 UTC

An automated alert fired at 02:47 UTC. The alert rule detected more than 20 failed RDP logins from a single external IP within a 5-minute window targeting WINSERVER-02. Your mission: confirm the attack, determine if it was successful, and identify what the attacker did after getting in.

# Key Event IDs to investigate 4625 - An account failed to log on (failed RDP attempt) 4624 - An account was successfully logged on (successful RDP) 4776 - The domain controller attempted to validate credentials 4672 - Special privileges assigned to new logon (admin login) 4648 - A logon was attempted using explicit credentials 7045 - A new service was installed (post-compromise persistence)

โš  Walkthrough โ€” Spoiler Alert

โ–ผ Expand
โš  Attempt the lab first. The walkthrough reveals attacker TTPs and answers.

Step 1: Boot the lab VM. Open Splunk at localhost:8000. Navigate to the "RDP_INVESTIGATION" app.

Step 2: Count failed logins per source IP:

index=wineventlog EventCode=4625 earliest=-2h | stats count by src_ip, user | sort -count | head 20

Step 3: You'll see IP 203.0.113.45 with 847 failed attempts. Now check if any succeeded:

index=wineventlog EventCode=4624 src_ip="203.0.113.45" | table _time, user, src_ip, logon_type

Step 4: Successful login at 02:51:34 UTC as user "Administrator". Logon type 10 (RemoteInteractive = RDP). Now check post-compromise activity:

index=wineventlog user="Administrator" earliest="2024-11-18T02:51:00" | sort _time | table _time, EventCode, user, Message

Step 5: You'll find Event 7045 โ€” a new service "svchost64" was created at 02:54:18 UTC. This is persistence via a malicious service. Flag as Critical. Escalate immediately.

๐Ÿ“ฅ Download Lab

Windows Server 2019 + Splunk Universal Forwarder. Pre-loaded with attack log data.

Size: ~3.4 GB
Format: OVA (VirtualBox 6.1+)
OS: Windows Server 2019 + Splunk
โฌ‡ Download OVA

SHA256 checksum included

๐Ÿ”ง Tools Required

โ–ธ VirtualBox 6.1+
โ–ธ Splunk Free (pre-installed)
โ–ธ Windows Event Viewer
โ–ธ 8GB RAM (recommended)

๐Ÿ”— Related Labs

โ— SOC Alert Triage โ— Suspicious PowerShell Analysis