Detection rules › Splunk
Windows Remote Desktop Network Bruteforce Attempt
The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.001 Brute Force: Password Guessing |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: tstats
tstats WHERE (All_Traffic.app="rdp" OR All_Traffic.dest_port=3389) BY All_Traffic.action, All_Traffic.app, All_Traffic.dest, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.direction, All_Traffic.dvc, All_Traffic.protocol, All_Traffic.protocol_version, All_Traffic.src, All_Traffic.src_ip, All_Traffic.transport, All_Traffic.user, All_Traffic.vendor_product
Stage 2: search
search
Stage 3: eval
eval ... using (firstTime, lastTime)
Stage 4: where
where count>10 duration<3600
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
All_Traffic.app | eq |
|
All_Traffic.dest_port | eq |
|
count | gt |
|
duration | lt |
|