Introduction
On Day 17 of my 30-day SOC Analyst challenge, I focused on detecting and monitoring Remote Desktop Protocol (RDP) brute force attempts on my Windows server. Using Elasticsearch and Kibana, I built dashboards to visualize failed and successful login activities, providing insights into potential security threats. Throughout this task, I learned valuable skills for identifying unauthorized access attempts and tracking login sources.
Detailed Process
Step 1: Creating a Map for Failed RDP Login Attempts
To begin, I accessed my Elasticsearch dashboard and navigated to the Map tab. My goal was to visualize failed login attempts, which would help identify brute force activities.
I used the following query to filter for failed logins on my Windows server:
event.code: 4625 and agent.name: MYDFIR-WIN-heyakru
Initially, no results were displayed because I hadn’t created a map layer yet. I proceeded to create a layer by clicking on Add Layer and selecting a Choropleth layer.
For the boundaries source, I chose Administrative boundaries from the Elastic Maps Service, with the following configurations:
- EMS boundaries: World Countries
- Join Field: ISO 3166-1 alpha-2 code
For the data view, I selected my default data view and used source.geo.country_iso_code as the join field. I saved the map as “RDP Failed Authentication” and added it to my dashboard.
The map now showed where the failed RDP login attempts were originating from globally.
Step 2: Creating a Map for Successful RDP Login Attempts
Next, I created a map to display the locations of successful login attempts. Following the same process as before, I adjusted the query to filter for successful logins:
event.code: 4624 and (winlog.event_data.LogonType: 10 or winlog.event_data.LogonType: 7)
This query targeted:
- Event code 4624 for successful logins.
- LogonType 10 for remote desktop (RDP) logins.
- LogonType 7 for logins from unlocked workstations.
After configuring the map, I named it “RDP Successful Authentication” and added it to my dashboard. The map showed successful RDP login attempts, including a login from Bangladesh, which was my own access through RDP.
Step 3: Adding Tabular Data for Enhanced Visualization
To enhance my dashboard, I created tables to display detailed information about login attempts. I started by creating a table visualization showing failed RDP authentication attempts. Using the query below, I filtered the failed login events:
system.auth.ssh.event: * and agent.name: MYDFIR-Linux-Heyakru and system.auth.ssh.event: Failed
I added fields such as Username, Source IP, and Country name to the table and configured it to show the top 10 results in descending order. The table was saved as SSH Failed Authentication [Table].
I then duplicated this table and created three additional tables for:
- SSH Successful Authentication
- RDP Successful Authentication
- RDP Failed Authentication
Finally, I added these tables alongside the map visualizations, resulting in a comprehensive dashboard that provides both visual and tabular insights into RDP and SSH authentication activity.
Conclusion
By creating interactive maps and tabular visualizations, I was able to track failed and successful login attempts on my Windows and Linux servers. This project taught me how to effectively visualize and monitor RDP and SSH activity, allowing me to detect potential brute force attacks and track their origins. The skills I gained during this task will help me enhance security operations and improve threat detection.