ID234 - SOC176
RDP Brute Force Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat intel
Initial check on VirusTotal, AbuseIPDB and Letsdefend Threat Intel show the source IP address flagged as Malicious.
Log Management
Let’s move to the Log Management and check what kind of interaction this malicious IP had with our system.
Log Management shows 30 events coming from the external IP, filtering to the ones directed to the Matthew machine, we can confirm that the external IP aimed only this machine.
All of them are directed to the victim port 3389, used for RDP connections.
Look like that the user tried to connect using combination of different password and username in a matter of seconds.
All signals of an automated spraying password attack.
Out of 30 events we have
– 29 eventID 4625 – failed logind
– 1 eventID 4524
So eventually the attacker managed to access the victim machine, finding the user Matthew and guessing the password, probably too weak and inside the dictionary used for this attack.
Endpoint Security
In the terminal History tab se can immediately see sign of an discovery phase of an attack
Playbook Execution
Incident Name
EventID: 234 – [SOC176 – RDP Brute Force Detected]
Description
EventID: 234
Incident type
Brute Force
Check the Source IP address. Is the IP address 'internal' or 'external'?
Answer
External
Check the reputation of the attacker's IP Address using the following resources.
Answer
Malicious
Is there a request from the Attacker IP address to the target server's SSH or RDP port?
Answer
YES
Does the Attacker IP address try to establish an SSH/RDP connection with multiple servers/clients as the target?
Answer
NO
Check the SSH/RDP audit logs to determine if the brute force attack was successful. Was the brute force attack successful?
Answer
YES
Systems exposed to a cyber-attack should be isolated to reduce the impact of the cyber-attack. Does the device require isolation?
Answer
YES
Add Artifacts
Value
Comment
Type
218.92.0[.]56
Threat actor IP
Ip address
Verdict
True Positive
Analyst Summary Report
Summary of findings
A brute-force RDP attack was launched from a malicious external IP (218.92.0[.]56, China – AS4134), targeting host Matthew (172.16.17.148). The attacker attempted multiple login attempts using common usernames (guest, admin, sysadmin, Matthew) and successfully authenticated using weak credentials. Post-compromise activity was observed via cmd.exe, including system and account enumeration — indicating early-stage post-exploitation.
Action taken
- Confirmed attack via logs and threat intel
- Verified successful login and system access
- Marked incident as True Positive
- host isolated
Remediation recommendations
- Enforce strong password policies and regular password expiration
- Enable account lockout after multiple failed attempts
- Implement Multi-Factor Authentication (MFA)
- Restrict RDP access to VPN or internal-only networks
- Apply IP whitelisting for RDP services
- Investigate the compromised host (Matthew)
More Alerts!
- ID-045 | SOC114 – Malicious Attachment Detected | LetsDefend Walkthrough
- ID-085 | SOC109 – Emotet Malware Detected | LetsDefend Walkthrough
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
- ID-036 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.