Techniques
Sample rules
Remote Desktop Network Bruteforce
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port
| eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50
| where count>(avg + stdev*2)
| rename All_Traffic.src AS src All_Traffic.dest AS dest
| table firstTime lastTime src dest count avg p50 stdev
| `remote_desktop_network_bruteforce_filter`