Introduction
As part of the 30-Day SOC Analyst challenge, I am enhancing my skills in identifying, analyzing, and mitigating security threats. On Day 16, I focused on detecting brute force attempts on my Windows RDP server. The goal was to analyze logs using Elastic Web GUI, filter for failed authentication events, and set up rules and alerts for any brute force activity. This project enhances real-time monitoring capabilities and is essential for threat detection in a cybersecurity role.
Detailed Process:
Log Analysis with Elastic Web GUI
I began by accessing the Elastic Web GUI and navigating to the “Discover” tab to view all logs from the active agents. Since I was focusing on my Windows RDP server, I filtered logs specifically for this server by selecting the machine name from the available agent list.
Filtering Failed Login Attempts (Event ID 4625)
To track brute force activities, I used Event ID 4625, which logs all failed authentication attempts. Using the following query, I filtered for these events:
event.code:4625
This query filtered all relevant failed login attempts for further analysis.
Detailed Log Analysis
I then added specific fields to the query results to analyze the failed login attempts in more depth:
- User: To identify the targeted user accounts.
- Source IP: To trace the origin of the login attempts.
After reviewing this information, I saved the query with the name “RDP Failed Activity” to reuse it later for continuous monitoring.
Setting Alerts for Brute Force Activity
After analyzing the failed login attempts, I created an alert to notify me of potential brute force attempts. I set the alert condition to trigger when more than five failed login attempts occur within a five-minute window.
I named this alert “MyDFIR-RDP Brute Force Activity – Heyakru” and saved it. This alert helped me detect real-time brute force attempts, although the default alert was basic in detail.
Advanced Rule Creation
To gather more detailed information, I headed to the Security > Rules section to create custom detection rules for both my Ubuntu SSH agent and Windows RDP agent.
For the Ubuntu SSH agent, I used the following custom query to filter failed SSH login attempts:
system.auth.ssh.event: * and [agent.name]: MyDFIR-Linux-Heyakru and system.auth.ssh.event: Failed and user.name: root
I grouped the rule by user.name and source.ip to filter and set the rule threshold to more than five attempts. Additionally, I set the severity to medium and the look-back time to 5 minutes, ensuring the rule ran every 5 minutes.
Similarly, I created another rule for the Windows RDP agent to detect brute force attempts on that machine. This rule was also set to monitor failed RDP logins and notify me if more than five failed attempts occurred within 5 minutes.
Conclusion
Day 16 of the SOC Analyst challenge equipped me with the skills to identify and respond to brute force activities on both Windows RDP and Ubuntu SSH servers. By utilizing the Elastic Web GUI, filtering logs, and setting up advanced alerts, I was able to create a real-time monitoring and alert system that will help protect servers from unauthorized access attempts.