RDP Brute Force Simulation Β· Windows Event Log Analysis Β· Splunk SIEM Detection Β· Sysmon Telemetry Β· SOC Investigation Workflow
- Project Overview
- Objectives
- Lab Architecture
- Tools & Technologies
- Attack Simulation Workflow
- Splunk SIEM Detection
- Sysmon Deep Visibility
- Windows Event Log Analysis
- Detection Logic
- Indicators of Compromise
- MITRE ATT&CK Mapping
- Incident Timeline
- Containment & Response
- Mitigation Recommendations
- Lessons Learned
- Screenshots
- About the Analyst
This project simulates a real-world RDP brute force attack against a Windows Server 2022 environment and demonstrates a complete SOC analyst investigation workflow β from attack simulation through SIEM detection, log analysis, MITRE ATT&CK mapping, and incident response.
What makes this lab different from typical student projects:
- Real RDP authentication traffic generated from Kali Linux using xfreerdp
- Logs forwarded live into Splunk Enterprise via Universal Forwarder
- Sysmon deployed for deep process and network visibility
- SPL detection queries and Sigma rules written from scratch
- Complete incident report following SOC runbook: Detection β Triage β Containment β Escalation
- All timestamps and findings verified against real log evidence
- Simulate RDP brute force attack in a controlled lab environment
- Forward Windows Security logs to Splunk Enterprise in real time
- Detect brute force pattern using SPL count-based threshold queries
- Confirm breach using EventCode 4624 Logon Type 10 correlation
- Hunt post-compromise activity using Sysmon EventCode 1
- Map full attack chain to MITRE ATT&CK sub-techniques
- Produce professional SOC incident report with real evidence
- Write production-ready Sigma detection rule
| Component | Details |
|---|---|
| Attacker Machine | Kali Linux β 192.168.56.10 |
| Victim Machine | Windows Server 2022 β 192.168.56.110 |
| SOC / SIEM | Splunk Enterprise β Host Machine 192.168.56.1 |
| Virtualization | VirtualBox β NAT + Host-Only Adapter |
| Network | Host-Only: 192.168.56.0/24 |
| Log Forwarding | Splunk Universal Forwarder β Splunk Enterprise (Port 9997) |
| Deep Logging | Sysmon (SwiftOnSecurity config) |
| Targeted Protocol | RDP β Port 3389 |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VirtualBox Lab Environment β
β β
β ββββββββββββββββββββ ββββββββββββββββββββββββββββ β
β β Kali Linux βββRDPβββΆβ Windows Server 2022 β β
β β 192.168.56.10 β :3389 β 192.168.56.110 β β
β β ATTACKER β β Sysmon + Splunk UF β β
β ββββββββββββββββββββ ββββββββββββββ¬ββββββββββββββ β
β β Logs (9997) β
β βΌ β
β ββββββββββββββββββββββββββββ β
β β Splunk Enterprise β β
β β 192.168.56.1 β β
β β SOC ANALYST VIEW β β
β ββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Tool | Purpose |
|---|---|
| Kali Linux | Attack simulation β xfreerdp brute force |
| Windows Server 2022 | Target β RDP enabled server environment |
| Splunk Enterprise | SIEM β log ingestion, SPL queries, alerting |
| Splunk Universal Forwarder | Ships Windows logs β Splunk in real time |
| Sysmon | Deep endpoint visibility β process, network, file |
| xfreerdp | RDP authentication testing tool |
| Windows Event Viewer | Manual log verification |
| PowerShell | Local log hunting and validation |
| MITRE ATT&CK Navigator | Attack technique mapping |
- Configured VirtualBox Host-Only network (192.168.56.0/24)
- Installed Windows Server 2022 with RDP enabled on port 3389
- Created test user account
socuserβ added to Remote Desktop Users group - Deployed Sysmon with SwiftOnSecurity configuration for deep logging
- Installed Splunk Universal Forwarder β forwarding to 192.168.56.1:9997
- Configured inputs.conf to forward Security, System, Application and Sysmon logs
From Kali Linux, repeated failed RDP authentication attempts were generated using xfreerdp with incorrect credentials:
xfreerdp /u:socuser /p:'WrongPassword' /v:192.168.56.110 /cert:ignoreAfter multiple failed attempts, a successful RDP login was performed using valid credentials confirming breach:
xfreerdp /u:socuser /p:'Password@123' /v:192.168.56.110 /cert:ignoreThis generated:
- Multiple failed authentication events β EventCode 4625
- One successful authentication event β EventCode 4624
- Logon Type 10 β RDP session confirmed
- NTLM authentication logs β EventCode 4776
- Sysmon process creation telemetry β EventCode 1
All attack events were forwarded to Splunk in real time via Universal Forwarder. SPL queries were used to detect, correlate, and classify the attack. Sysmon logs provided post-compromise process visibility.
All logs were ingested into Splunk Enterprise via Universal Forwarder installed on Windows Server 2022. The following SPL queries detected and confirmed the attack.
index=main EventCode=4625
| stats count as failed_attempts by host
| eval severity=if(failed_attempts>50,"CRITICAL",if(failed_attempts>20,"HIGH","MEDIUM"))
| sort - failed_attempts
Result: WIN-TLKR5B0U5QP β failed_attempts=808 β CRITICAL
index=main (EventCode=4625 OR EventCode=4624)
| eval event_type=if(EventCode=4624,"SUCCESS","FAILURE")
| table _time, event_type, Account_Name
| sort _time
Result: Chain of FAILURE events ending in SUCCESS β True Positive breach confirmed.
index=main EventCode=4625
| timechart span=1m count
Result: Large authentication spike observed during brute force activity
index=main sourcetype="WinEventLog:Sysmon" EventCode=1
| table _time, User, Image, CommandLine, ParentImage
| sort -_time
Result: No malicious process execution detected.
Sysmon was deployed on Windows Server 2022 using the SwiftOnSecurity configuration providing deep endpoint visibility beyond standard Windows Event Logs.
| Sysmon EventCode | Description | SOC Value |
|---|---|---|
| 1 | Process Creation | Full command line of every process |
| 3 | Network Connection | Every outbound connection with PID |
| 7 | Image Loaded | DLL loading β detects injection |
| 10 | Process Access | Detects Mimikatz targeting LSASS |
| 11 | File Created | Malware dropping files |
| 13 | Registry Value Set | Persistence mechanisms |
Sysmon EventCode 1 confirmed no suspicious post-authentication process execution following the successful RDP session. The attacker did not execute any commands during the active session window.
| Event ID | Source | Description | Count |
|---|---|---|---|
| 4625 | Security | Failed login attempt | 808 observed |
| 4624 | Security | Successful login β Logon Type 10 | 1 confirmed |
| 4776 | Security | NTLM authentication attempt | Observed |
| 4672 | Security | Special privileges assigned | Post-login |
| Sysmon 1 | Sysmon | Process creation post-compromise | No malicious |
| Sysmon 3 | Sysmon | Network connections | Monitored |
EventCode 4625 β Failed Login
- Account Name: socuser
- Source IP: 192.168.56.10
- Workstation: kali
- Auth Package: NTLM
- Logged: 5/26/2026 9:09:06 PM
- Evidence: Screenshot 14
EventCode 4624 β Successful Login
- Account Name: socuser
- Source IP: 192.168.56.10
- Logon Type: 10 (RemoteInteractive β RDP)
- Logged: 5/26/2026 9:09:57 PM
- Evidence: Screenshot 15
See full detection files in the Detection-Logic folder.
- Trigger: Single host with >5 failed logins (EventCode 4625)
- Severity: >50 = CRITICAL β >20 = HIGH β >5 = MEDIUM
- Result: High volume failed authentication activity detected and classified as CRITICAL severity
- Escalation: CRITICAL alert β immediate L2 escalation
Production-ready Sigma rule available at: Detection-Logic/sigma-rdp-bruteforce.yml
| IOC Type | Observed Value | Verdict | Validated Via | Action Taken |
|---|---|---|---|---|
| Source IP | 192.168.56.10 | MALICIOUS β confirmed attacker | Windows Security Log + Splunk | Blocked at Windows Firewall |
| Target Account | socuser | COMPROMISED β successful login confirmed | EventCode 4624 β 9:09:57 PM β Logon Type 10 | Account disabled + password reset |
| Auth Protocol | NTLM | WEAK β relay attack risk | EventCode 4776 β NtLmSsp confirmed | Kerberos enforcement recommended |
| Failed Logins | 808 failed authentication events observed | BRUTE FORCE CONFIRMED | Splunk authentication correlation | Account lockout recommended |
| Successful Login | EventCode 4624 β 9:09:57 PM | TRUE POSITIVE β BREACH | Logon Type 10 β RDP session | Immediate containment initiated |
| Tactic | Technique | Sub-Technique | ID | Evidence |
|---|---|---|---|---|
| Credential Access | Brute Force | Password Guessing | T1110.001 | 808 Γ EventCode 4625 targeting socuser |
| Lateral Movement | Remote Services | Remote Desktop Protocol | T1021.001 | EventCode 4624 β Logon Type 10 confirmed |
| Defense Evasion | Valid Accounts | Local Accounts | T1078.003 | Successful login using valid socuser credentials |
| Time | Phase | Event | EventCode | Evidence |
|---|---|---|---|---|
| 5/26/2026 9:09:06 PM | π΄ Attack | First failed RDP login β socuser β 192.168.56.10 | 4625 | Screenshot 14 |
| 5/26/2026 9:09:07 PM | π΄ Attack | Second failed login β NTLM confirmed | 4625 | Screenshot 13 |
| 5/26/2026 9:09:57 PM | π¨ Breach | Successful RDP login β Logon Type 10 | 4624 | Screenshot 15 |
| 26/05/2026 20:24:10 | π‘ Detection | Splunk detection query identified high failed authentication volume | SPL | Screenshot 25 |
| 26/05/2026 20:39:10 | π‘ TP Confirmed | Success-after-failure chain β True Positive | SPL | Screenshot 27 |
| Post-detection | π‘ Sysmon Hunt | No malicious process found post-breach | Sysmon 1 | Screenshot 23 |
| Post-detection | π’ Containment | IP blocked β account disabled β password reset | β | SOC Action |
| Post-detection | π’ Escalation | L2 notified β INC-RDP-2026-001 raised | β | SOC Runbook |
| Action | Outcome |
|---|---|
| Blocked source IP 192.168.56.10 at Windows Firewall | No further RDP connections possible |
| Disabled socuser account | Active RDP session terminated |
| Reset socuser password | Compromised credential invalidated |
| Exported Security logs as forensic .evtx | Evidence preserved for L2 |
| Escalated to L2 β ticket INC-RDP-2026-001 | Post-compromise review initiated |
Sysmon EventCode 1 searched for all process creation after confirmed breach at 9:09:57 PM. No malicious processes found. Incident classified as contained β no post-compromise impact.
Escalated to L2 because EventCode 4624 confirmed a successful attacker RDP session with Logon Type 10. Post-compromise investigation was required before closing the incident.
| Priority | Recommendation | Impact |
|---|---|---|
| CRITICAL | Account lockout after 5 failed attempts | Stops brute force immediately |
| CRITICAL | Restrict RDP behind VPN only | Eliminates direct attack surface |
| CRITICAL | Enforce MFA on all RDP accounts | Credential theft becomes useless |
| HIGH | Replace NTLM with Kerberos | Eliminates relay attack risk |
| HIGH | Enforce 14-character minimum password | Increases crack time exponentially |
| MEDIUM | Deploy Splunk real-time alert for 4625 | Detection within 5 minutes |
| MEDIUM | Enable Network Level Authentication | Pre-session auth layer |
| LOW | Disable RDP on non-essential servers | Reduces attack surface |
Full hardening guide: Mitigation-Recommendations/rdp-hardening-recommendations.md
-
Account lockout policy is non-negotiable. Hundreds of failed authentication attempts were possible without automatic blocking.
-
RDP must never be directly exposed. Any machine with port 3389 accessible on a network is an active target. VPN-only access is the minimum acceptable standard.
-
Splunk detected what manual review would have missed. The count-based threshold query identified abnormal authentication activity rapidly, allowing investigation to begin faster than manual log review.
-
Sysmon provided critical post-compromise clarity. Without Sysmon EventCode 1, confirming no malicious process execution post-breach would have been impossible.
-
NTLM is a legacy risk. Every environment should migrate to Kerberos. NTLM relay attacks are trivially exploitable with tools like Responder.
| # | Screenshot | Description |
|---|---|---|
| 01 | Lab Setup | VirtualBox lab environment |
| 02 | Kali β Windows Connectivity | Ping verification |
| 03 | Windows β Kali Connectivity | Ping verification |
| 04 | RDP Enabled | RDP configuration on Windows Server |
| 05 | RDP Port Verified | Port 3389 open confirmed |
| 06 | User Created | socuser account creation |
| 07 | User Confirmed | Account verification |
| 08 | RDP Group Assignment | User added to RDP group |
| 09 | Group Verified | Group membership confirmed |
| 10 | RDP Auth Command | Successful RDP from Kali |
| 11 | Successful RDP Session | Full RDP session established |
| 12 | Failed Login Attempts | xfreerdp failed attempts |
| 13 | EventID 4625 Analysis | Failed login β 5/26/2026 9:09:07 PM |
| 14 | 4625 Log Detail | Failed login β 5/26/2026 9:09:06 PM |
| 15 | 4624 Logon Type 10 | Successful login β 5/26/2026 9:09:57 PM |
| 16 | Security Log Overview | Full security log β May 26 2026 |
| 17 | PowerShell 4625 | PS query β failed logins |
| 18 | PowerShell 4624 | PS query β successful logins |
| 19 | Sysmon Install | Sysmon deployment confirmed |
| 20 | Sysmon Logs | Sysmon operational log view |
| 21 | Sysmon EventID 1 | Process creation event |
| 22 | Sysmon Process Details | Deep process analysis |
| 23 | Sysmon PS Hunt | Post-compromise process hunt |
| 24 | Splunk Sources Flowing | All 4 log sources in Splunk |
| 25 | Splunk CRITICAL Detection | Failed authentication detection β CRITICAL severity |
| 26 | Splunk Attack Timechart | Authentication spike visible in Splunk timechart |
| 27 | Splunk TP Confirmed | Success after failure chain |
Priyanka Rane β SOC Analyst L1
BSc Information Technology β CGPA 9.70 | University of Mumbai
π Certified Ethical Hacker v13 AI (CEHv13) β EC-Council
π eLearnSecurity Network Penetration Tester (eNPT) β INE
π§ ranepriyanka567@gmail.com
π LinkedIn
π GitHub
β If this project helped you understand SOC detection workflows, feel free to star the repository.