π Overview
This challenge is about analyzing the Windows Event Logs to investigate Remote Desktop Protocol (RDP) bruteforce attempts. Itβs includes analyzing a large volume log of Audit failures to identify specific Indicator of Compromises (IoCs).
Tools used
- Windows Events Log Viewer to extract information about the bruteforce event.
- TimelineExplorer.exe (Zimmerman-Tools) for analyzing attempted events on the host.
π» Initial analysis
Scenario
Can you analyze logs from an attempted RDP bruteforce attack?
One of our system administrators identified a large number of Audit Failure events in the Windows Security Event log.
There are a number of different ways to approach the analysis of these logs! Consider the suggested tools, but there are many others out there!
In this challenge, we are provided with 3 evidence files:
BTLO_Bruteforce_Challenge.txt: A raw text export of the Windows Security Event logs.BTLO_Bruteforce_Challenge.csv: The log data structured in a tabular format. Each column has a specific log field (e.g., Event ID, Account Name, IP Address).BTLO_Bruteforce_Challenge.evtx: A native binary file format for Windows Events Log Viewer.
π¨βπ» Q&A
T-1. How many Audit Failure events are there? (Format: Count of Events)?
Opening the file BTLO_Bruteforce_Challenge.csv in TimelineExplorer.exe, we can count the number of failed login attempts by Event ID: 4625 (failed logon attempt):
This event is generated by Microsoft Windows Security Auditing provider. Whenever the authentication fails, it captures the details of target account, src IP, logon type along with specific failure reasons.
If the Audit Logon policy werenβt enabled on the host, we wouldnβt be able to see these attempts in the security logs.
T-2. What is the username of the local account that is being targeted? (Format: Username)
Looking BTLO_Bruteforce_Challenge.evtx in Windows Event Logs Viewer, we can find the username administrator was targeted for logon attempts:
T-3. What is the failure reason related to the Audit Failure logs? (Format: String)
Looking up the FailureReason %%2313, it means that username is unknown or password is incorrect, indicating βUnknown username or bad passwordβ as failure reason.
T-4. What is the Windows Event ID associated with these logon failures? (Format: ID)
The event ID 4625 is associated with these logon failures.
T-5. What is the source IP conducting this attack? (Format: X.X.X.X)
Looking at Windows Events Viewer again, the src IP address 113.161.192.227 is captured as the one who tried to logon:
T-6. What country is this IP address associated with? (Format: Country)
Looking up the IP address, we can see that public IP is from ISP: Vietnam Posts and Telecommunications Group, located in Vietnam:
