From 145c93f451b8973ec005cb57917dd7f2641460e1 Mon Sep 17 00:00:00 2001 From: research-bot Date: Fri, 10 Jan 2025 12:16:02 -0800 Subject: [PATCH] updating detection --- .../remote_desktop_network_bruteforce.yml | 51 +++++++++++-------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml index 2634f6b9cf..74443c9066 100644 --- a/detections/network/remote_desktop_network_bruteforce.yml +++ b/detections/network/remote_desktop_network_bruteforce.yml @@ -1,44 +1,47 @@ name: Remote Desktop Network Bruteforce id: a98727cc-286b-4ff2-b898-41df64695923 -version: 5 -date: '2024-10-16' -author: Jose Hernandez, Splunk -status: experimental +version: 6 +date: '2025-01-10' +author: Jose Hernandez, Bhavin Patel, Splunk +status: production type: TTP -description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. -data_source: [] +description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 successful connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. +data_source: +- Sysmon EventID 3 search: >- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port - | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 - | where count>(avg + stdev*2) - | rename All_Traffic.src AS src All_Traffic.dest AS dest - | table firstTime lastTime src dest count avg p50 stdev + | tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port All_Traffic.user All_Traffic.vendor_product + | `drop_dm_object_name("All_Traffic")` + | eval duration=lastTime-firstTime + | where count > 10 AND duration < 3600 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `remote_desktop_network_bruteforce_filter` -how_to_implement: You must ensure that your network traffic data is populating the - Network_Traffic data model. -known_false_positives: RDP gateways may have unusually high amounts of traffic from - all other hosts' RDP applications in the network. -references: [] +how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. Adjust the count and duration thresholds as necessary to tune the sensitivity of your detection. +known_false_positives: RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.Any legitimate RDP traffic using wrong/expired credentials will be also detected as a false positive. +references: +- https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack +- https://www.reliaquest.com/blog/rdp-brute-force-attacks/ tags: analytic_story: - SamSam Ransomware - Ryuk Ransomware + - Compromised User Account asset_type: Endpoint confidence: 50 impact: 50 - message: $dest$ may be the target of an RDP Bruteforce + message: $dest$ may be the target of an RDP Bruteforce from $src$ mitre_attack_id: - - T1021.001 - - T1021 + - T1110.001 + - T1110 observable: - name: dest type: Hostname role: - Victim - name: src - type: Hostname + type: IP Address role: - - Victim + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security @@ -51,3 +54,9 @@ tags: - All_Traffic.dest_port risk_score: 25 security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog