远程桌面暴力破解检测

v20260426

detecting-rdp-brute-force-attacks

解析 Windows 安全日志（4625/4624/NLA）及攻击 IP 频率，识别 RDP 暴力破解模式并生成 JSON 报告，便于 SOC 分析与检测策略优化。

网络安全威胁检测 RDP 日志分析安全运营蓝队

获取技能

293 次下载

概览

Detecting RDP Brute Force Attacks

Overview

RDP brute force attacks target Windows Remote Desktop Protocol services by attempting rapid credential guessing against exposed RDP endpoints. Detection relies on analyzing Windows Security Event Logs for Event ID 4625 (failed logon with Logon Type 10 or 3) and correlating with Event ID 4624 (successful logon) to identify compromised accounts. This skill covers parsing EVTX files with python-evtx, identifying attack patterns through source IP frequency analysis, detecting NLA bypass attempts, and generating actionable detection reports.

When to Use

When investigating security incidents that require detecting rdp brute force attacks
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with python-evtx, lxml libraries
Windows Security EVTX log files (exported from Event Viewer or collected via WEF)
Understanding of Windows authentication Event IDs (4624, 4625, 4776)
Familiarity with RDP Logon Types (Type 3 for NLA, Type 10 for RemoteInteractive)

Steps

Step 1: Export Security Event Logs

Export Windows Security logs to EVTX format using Event Viewer or wevtutil:

wevtutil epl Security C:\logs\security.evtx

Step 2: Parse Failed Logon Events

Use python-evtx to parse Event ID 4625 entries, extracting source IP, target username, failure reason (Sub Status), and Logon Type fields.

Step 3: Analyze Attack Patterns

Identify brute force patterns by:

Counting failed logons per source IP within time windows
Detecting username spray attacks (many usernames from one IP)
Correlating 4625 failures with subsequent 4624 success from same IP

Step 4: Generate Detection Report

Produce a JSON report with top attacking IPs, targeted accounts, time-based analysis, and compromise indicators.

Expected Output

JSON report containing:

Total failed logon events and unique source IPs
Top attacking IPs ranked by failure count
Targeted usernames and failure sub-status codes
Successful logons following brute force attempts (potential compromises)
Time-series analysis of attack intensity

信息

Category 未分类

Name detecting-rdp-brute-force-attacks

版本 v20260426

大小 8.93KB

Source mukul975/Anthropic-Cybersecurity-Skills

更新时间 2026-05-10