Name:Remote Desktop Network Bruteforce id:a98727cc-286b-4ff2-b898-41df64695923 version:5 date:2024-10-16 author:Jose Hernandez, Splunk status:experimental type:TTP Description:The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. Data_source:
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`
how_to_implement:You must ensure that your network traffic data is populating the Network_Traffic data model. known_false_positives:RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network. References: drilldown_searches:
: tags: analytic_story: - 'SamSam Ransomware' - 'Ryuk Ransomware' asset_type:Endpoint confidence:50 impact:50 message:$dest$ may be the target of an RDP Bruteforce mitre_attack_id: - 'T1021.001' - 'T1021' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'src' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'All_Traffic.app' - 'All_Traffic.src' - 'All_Traffic.dest' - 'All_Traffic.dest_port' risk_score:25 security_domain:network
