Skip to content

priyanka-sec/Windows-RDP-Brute-Force-Detection-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

220 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ›‘οΈ Windows RDP Brute Force Detection & SIEM Investigation Lab

RDP Brute Force Simulation Β· Windows Event Log Analysis Β· Splunk SIEM Detection Β· Sysmon Telemetry Β· SOC Investigation Workflow



πŸ“‘ Table of Contents



πŸ“Œ Project Overview

This project simulates a real-world RDP brute force attack against a Windows Server 2022 environment and demonstrates a complete SOC analyst investigation workflow β€” from attack simulation through SIEM detection, log analysis, MITRE ATT&CK mapping, and incident response.

What makes this lab different from typical student projects:

  • Real RDP authentication traffic generated from Kali Linux using xfreerdp
  • Logs forwarded live into Splunk Enterprise via Universal Forwarder
  • Sysmon deployed for deep process and network visibility
  • SPL detection queries and Sigma rules written from scratch
  • Complete incident report following SOC runbook: Detection β†’ Triage β†’ Containment β†’ Escalation
  • All timestamps and findings verified against real log evidence



🎯 Objectives

  • Simulate RDP brute force attack in a controlled lab environment
  • Forward Windows Security logs to Splunk Enterprise in real time
  • Detect brute force pattern using SPL count-based threshold queries
  • Confirm breach using EventCode 4624 Logon Type 10 correlation
  • Hunt post-compromise activity using Sysmon EventCode 1
  • Map full attack chain to MITRE ATT&CK sub-techniques
  • Produce professional SOC incident report with real evidence
  • Write production-ready Sigma detection rule



πŸ—οΈ Lab Architecture

Environment Configuration

Component Details
Attacker Machine Kali Linux β€” 192.168.56.10
Victim Machine Windows Server 2022 β€” 192.168.56.110
SOC / SIEM Splunk Enterprise β€” Host Machine 192.168.56.1
Virtualization VirtualBox β€” NAT + Host-Only Adapter
Network Host-Only: 192.168.56.0/24
Log Forwarding Splunk Universal Forwarder β†’ Splunk Enterprise (Port 9997)
Deep Logging Sysmon (SwiftOnSecurity config)
Targeted Protocol RDP β€” Port 3389



πŸ–ΌοΈ Architecture Diagram

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                  VirtualBox Lab Environment                  β”‚
β”‚                                                              β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
β”‚  β”‚   Kali Linux     │──RDP──▢│   Windows Server 2022   β”‚     β”‚
β”‚  β”‚  192.168.56.10   β”‚ :3389  β”‚    192.168.56.110        β”‚    β”‚
β”‚  β”‚   ATTACKER       β”‚        β”‚  Sysmon + Splunk UF      β”‚    β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚
β”‚                                           β”‚ Logs (9997)      β”‚
β”‚                                           β–Ό                  β”‚
β”‚                              β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
β”‚                              β”‚    Splunk Enterprise      β”‚   β”‚
β”‚                              β”‚      192.168.56.1         β”‚   β”‚
β”‚                              β”‚    SOC ANALYST VIEW       β”‚   β”‚
β”‚                              β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜



πŸ› οΈ Tools & Technologies

Tool Purpose
Kali Linux Attack simulation β€” xfreerdp brute force
Windows Server 2022 Target β€” RDP enabled server environment
Splunk Enterprise SIEM β€” log ingestion, SPL queries, alerting
Splunk Universal Forwarder Ships Windows logs β†’ Splunk in real time
Sysmon Deep endpoint visibility β€” process, network, file
xfreerdp RDP authentication testing tool
Windows Event Viewer Manual log verification
PowerShell Local log hunting and validation
MITRE ATT&CK Navigator Attack technique mapping



βš”οΈ Attack Simulation Workflow

Phase 1 β€” Environment Setup

  • Configured VirtualBox Host-Only network (192.168.56.0/24)
  • Installed Windows Server 2022 with RDP enabled on port 3389
  • Created test user account socuser β€” added to Remote Desktop Users group
  • Deployed Sysmon with SwiftOnSecurity configuration for deep logging
  • Installed Splunk Universal Forwarder β€” forwarding to 192.168.56.1:9997
  • Configured inputs.conf to forward Security, System, Application and Sysmon logs

Phase 2 β€” Attack Execution

From Kali Linux, repeated failed RDP authentication attempts were generated using xfreerdp with incorrect credentials:

xfreerdp /u:socuser /p:'WrongPassword' /v:192.168.56.110 /cert:ignore

After multiple failed attempts, a successful RDP login was performed using valid credentials confirming breach:

xfreerdp /u:socuser /p:'Password@123' /v:192.168.56.110 /cert:ignore

This generated:

  • Multiple failed authentication events β€” EventCode 4625
  • One successful authentication event β€” EventCode 4624
  • Logon Type 10 β€” RDP session confirmed
  • NTLM authentication logs β€” EventCode 4776
  • Sysmon process creation telemetry β€” EventCode 1

Phase 3 β€” Detection & Investigation

All attack events were forwarded to Splunk in real time via Universal Forwarder. SPL queries were used to detect, correlate, and classify the attack. Sysmon logs provided post-compromise process visibility.



πŸ” Splunk SIEM Detection

All logs were ingested into Splunk Enterprise via Universal Forwarder installed on Windows Server 2022. The following SPL queries detected and confirmed the attack.

Query 1 β€” Brute Force Detection

index=main EventCode=4625
| stats count as failed_attempts by host
| eval severity=if(failed_attempts>50,"CRITICAL",if(failed_attempts>20,"HIGH","MEDIUM"))
| sort - failed_attempts

Result: WIN-TLKR5B0U5QP β€” failed_attempts=808 β€” CRITICAL

Query 2 β€” Attack Success Confirmation

index=main (EventCode=4625 OR EventCode=4624)
| eval event_type=if(EventCode=4624,"SUCCESS","FAILURE")
| table _time, event_type, Account_Name
| sort _time

Result: Chain of FAILURE events ending in SUCCESS β€” True Positive breach confirmed.

Query 3 β€” Attack Volume Timechart

index=main EventCode=4625
| timechart span=1m count

Result: Large authentication spike observed during brute force activity

Query 4 β€” Post-Compromise Process Hunt

index=main sourcetype="WinEventLog:Sysmon" EventCode=1
| table _time, User, Image, CommandLine, ParentImage
| sort -_time

Result: No malicious process execution detected.



πŸ”¬ Sysmon Deep Visibility

Sysmon was deployed on Windows Server 2022 using the SwiftOnSecurity configuration providing deep endpoint visibility beyond standard Windows Event Logs.

Sysmon Event IDs Monitored

Sysmon EventCode Description SOC Value
1 Process Creation Full command line of every process
3 Network Connection Every outbound connection with PID
7 Image Loaded DLL loading β€” detects injection
10 Process Access Detects Mimikatz targeting LSASS
11 File Created Malware dropping files
13 Registry Value Set Persistence mechanisms

Key Finding

Sysmon EventCode 1 confirmed no suspicious post-authentication process execution following the successful RDP session. The attacker did not execute any commands during the active session window.



πŸ“Š Windows Event Log Analysis

Critical Event IDs

Event ID Source Description Count
4625 Security Failed login attempt 808 observed
4624 Security Successful login β€” Logon Type 10 1 confirmed
4776 Security NTLM authentication attempt Observed
4672 Security Special privileges assigned Post-login
Sysmon 1 Sysmon Process creation post-compromise No malicious
Sysmon 3 Sysmon Network connections Monitored

Key Event Details

EventCode 4625 β€” Failed Login

  • Account Name: socuser
  • Source IP: 192.168.56.10
  • Workstation: kali
  • Auth Package: NTLM
  • Logged: 5/26/2026 9:09:06 PM
  • Evidence: Screenshot 14

EventCode 4624 β€” Successful Login

  • Account Name: socuser
  • Source IP: 192.168.56.10
  • Logon Type: 10 (RemoteInteractive β€” RDP)
  • Logged: 5/26/2026 9:09:57 PM
  • Evidence: Screenshot 15



🧠 Detection Logic

See full detection files in the Detection-Logic folder.

Splunk Alert Rule Summary

  • Trigger: Single host with >5 failed logins (EventCode 4625)
  • Severity: >50 = CRITICAL β€” >20 = HIGH β€” >5 = MEDIUM
  • Result: High volume failed authentication activity detected and classified as CRITICAL severity
  • Escalation: CRITICAL alert β†’ immediate L2 escalation

Sigma Rule

Production-ready Sigma rule available at: Detection-Logic/sigma-rdp-bruteforce.yml



🚨 Indicators of Compromise (IOCs)

IOC Type Observed Value Verdict Validated Via Action Taken
Source IP 192.168.56.10 MALICIOUS β€” confirmed attacker Windows Security Log + Splunk Blocked at Windows Firewall
Target Account socuser COMPROMISED β€” successful login confirmed EventCode 4624 β€” 9:09:57 PM β€” Logon Type 10 Account disabled + password reset
Auth Protocol NTLM WEAK β€” relay attack risk EventCode 4776 β€” NtLmSsp confirmed Kerberos enforcement recommended
Failed Logins 808 failed authentication events observed BRUTE FORCE CONFIRMED Splunk authentication correlation Account lockout recommended
Successful Login EventCode 4624 β€” 9:09:57 PM TRUE POSITIVE β€” BREACH Logon Type 10 β€” RDP session Immediate containment initiated



🧠 MITRE ATT&CK Mapping

Tactic Technique Sub-Technique ID Evidence
Credential Access Brute Force Password Guessing T1110.001 808 Γ— EventCode 4625 targeting socuser
Lateral Movement Remote Services Remote Desktop Protocol T1021.001 EventCode 4624 β€” Logon Type 10 confirmed
Defense Evasion Valid Accounts Local Accounts T1078.003 Successful login using valid socuser credentials



πŸ•’ Incident Timeline

Time Phase Event EventCode Evidence
5/26/2026 9:09:06 PM πŸ”΄ Attack First failed RDP login β€” socuser β€” 192.168.56.10 4625 Screenshot 14
5/26/2026 9:09:07 PM πŸ”΄ Attack Second failed login β€” NTLM confirmed 4625 Screenshot 13
5/26/2026 9:09:57 PM 🚨 Breach Successful RDP login β€” Logon Type 10 4624 Screenshot 15
26/05/2026 20:24:10 🟑 Detection Splunk detection query identified high failed authentication volume SPL Screenshot 25
26/05/2026 20:39:10 🟑 TP Confirmed Success-after-failure chain β€” True Positive SPL Screenshot 27
Post-detection 🟑 Sysmon Hunt No malicious process found post-breach Sysmon 1 Screenshot 23
Post-detection 🟒 Containment IP blocked β€” account disabled β€” password reset β€” SOC Action
Post-detection 🟒 Escalation L2 notified β€” INC-RDP-2026-001 raised β€” SOC Runbook



πŸ›‘οΈ Containment & Response

Incident ID: INC-RDP-2026-001

Severity: P2 β€” High

Analyst: Priyanka Rane β€” SOC Analyst L1

Containment Actions Taken

Action Outcome
Blocked source IP 192.168.56.10 at Windows Firewall No further RDP connections possible
Disabled socuser account Active RDP session terminated
Reset socuser password Compromised credential invalidated
Exported Security logs as forensic .evtx Evidence preserved for L2
Escalated to L2 β€” ticket INC-RDP-2026-001 Post-compromise review initiated

Post-Compromise Hunt Result

Sysmon EventCode 1 searched for all process creation after confirmed breach at 9:09:57 PM. No malicious processes found. Incident classified as contained β€” no post-compromise impact.

Escalation Decision

Escalated to L2 because EventCode 4624 confirmed a successful attacker RDP session with Logon Type 10. Post-compromise investigation was required before closing the incident.



πŸ›‘οΈ Mitigation Recommendations

Priority Recommendation Impact
CRITICAL Account lockout after 5 failed attempts Stops brute force immediately
CRITICAL Restrict RDP behind VPN only Eliminates direct attack surface
CRITICAL Enforce MFA on all RDP accounts Credential theft becomes useless
HIGH Replace NTLM with Kerberos Eliminates relay attack risk
HIGH Enforce 14-character minimum password Increases crack time exponentially
MEDIUM Deploy Splunk real-time alert for 4625 Detection within 5 minutes
MEDIUM Enable Network Level Authentication Pre-session auth layer
LOW Disable RDP on non-essential servers Reduces attack surface

Full hardening guide: Mitigation-Recommendations/rdp-hardening-recommendations.md



πŸ“š Lessons Learned

  1. Account lockout policy is non-negotiable. Hundreds of failed authentication attempts were possible without automatic blocking.

  2. RDP must never be directly exposed. Any machine with port 3389 accessible on a network is an active target. VPN-only access is the minimum acceptable standard.

  3. Splunk detected what manual review would have missed. The count-based threshold query identified abnormal authentication activity rapidly, allowing investigation to begin faster than manual log review.

  4. Sysmon provided critical post-compromise clarity. Without Sysmon EventCode 1, confirming no malicious process execution post-breach would have been impossible.

  5. NTLM is a legacy risk. Every environment should migrate to Kerberos. NTLM relay attacks are trivially exploitable with tools like Responder.



πŸ–ΌοΈ Screenshots

# Screenshot Description
01 Lab Setup VirtualBox lab environment
02 Kali β†’ Windows Connectivity Ping verification
03 Windows β†’ Kali Connectivity Ping verification
04 RDP Enabled RDP configuration on Windows Server
05 RDP Port Verified Port 3389 open confirmed
06 User Created socuser account creation
07 User Confirmed Account verification
08 RDP Group Assignment User added to RDP group
09 Group Verified Group membership confirmed
10 RDP Auth Command Successful RDP from Kali
11 Successful RDP Session Full RDP session established
12 Failed Login Attempts xfreerdp failed attempts
13 EventID 4625 Analysis Failed login β€” 5/26/2026 9:09:07 PM
14 4625 Log Detail Failed login β€” 5/26/2026 9:09:06 PM
15 4624 Logon Type 10 Successful login β€” 5/26/2026 9:09:57 PM
16 Security Log Overview Full security log β€” May 26 2026
17 PowerShell 4625 PS query β€” failed logins
18 PowerShell 4624 PS query β€” successful logins
19 Sysmon Install Sysmon deployment confirmed
20 Sysmon Logs Sysmon operational log view
21 Sysmon EventID 1 Process creation event
22 Sysmon Process Details Deep process analysis
23 Sysmon PS Hunt Post-compromise process hunt
24 Splunk Sources Flowing All 4 log sources in Splunk
25 Splunk CRITICAL Detection Failed authentication detection β€” CRITICAL severity
26 Splunk Attack Timechart Authentication spike visible in Splunk timechart
27 Splunk TP Confirmed Success after failure chain



πŸ‘©β€πŸ’» About the Analyst

Priyanka Rane β€” SOC Analyst L1

BSc Information Technology β€” CGPA 9.70 | University of Mumbai

πŸ… Certified Ethical Hacker v13 AI (CEHv13) β€” EC-Council

πŸ… eLearnSecurity Network Penetration Tester (eNPT) β€” INE

πŸ“§ ranepriyanka567@gmail.com

πŸ”— LinkedIn

πŸ™ GitHub


⭐ If this project helped you understand SOC detection workflows, feel free to star the repository.

About

Windows RDP Brute Force Detection Lab using Splunk SIEM, Sysmon, Windows Event Logs, MITRE ATT&CK Mapping, Detection Engineering, and SOC Investigation Workflow.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors