Detection: Remote Desktop Network Bruteforce

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Updated Date: 2024-05-17 ID: a98727cc-286b-4ff2-b898-41df64695923 Author: Jose Hernandez, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise.

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port 
3| eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 
4| where count>(avg + stdev*2) 
5| rename All_Traffic.src AS src All_Traffic.dest AS dest 
6| table firstTime lastTime src dest count avg p50 stdev 
7| `remote_desktop_network_bruteforce_filter`

Data Source

Name Platform Sourcetype Source Supported App
N/A N/A N/A N/A N/A

Macros Used

Name Value
security_content_summariesonly summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config``
remote_desktop_network_bruteforce_filter search *
remote_desktop_network_bruteforce_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1021.001 Remote Desktop Protocol Lateral Movement
T1021 Remote Services Lateral Movement
KillChainPhase.EXPLOITAITON
NistCategory.DE_CM
Cis18Value.CIS_13
APT1
APT3
APT39
APT41
APT5
Axiom
Blue Mockingbird
Chimera
Cobalt Group
Dragonfly
FIN10
FIN13
FIN6
FIN7
FIN8
Fox Kitten
HEXANE
Kimsuky
Lazarus Group
Leviathan
Magic Hound
OilRig
Patchwork
Silence
Wizard Spider
menuPass
Wizard Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

You must ensure that your network traffic data is populating the Network_Traffic data model.

Known False Positives

RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
$dest$ may be the target of an RDP Bruteforce 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3