Event 234 - Nico's Knowledge Base

**Date of Report:** April 17, 2025 **Incident Type:** Brute Force Attack (RDP) **Severity:** Medium ![[Pasted image 20250417185730.png]] **1. Executive Summary** On March 07, 2025, a brute force attack targeting Remote Desktop Protocol (RDP) services was detected against a client workstation belonging to Matthew. The attack originated from a Chinese IP address flagged as malicious by multiple threat intelligence sources. The attack resulted in a successful login, necessitating immediate containment measures to prevent further compromise. **2. Initial Observation & Analysis** **2.1. Attack Source:** * **IP Address:** 218.92.0.56 * **Geolocation:** The originating IP address is located in China. * **Reputation:** VirusTotal and internal threat intelligence tool flagged the IP address as potentially malicious. ![[Pasted image 20250417190009.png]] **2.2. Attack Vector:** * **Targeted Service:** RDP (Port 3389) * **Authentication Method:** Brute Force – 3 pages worth failed login attempts were detected against the RDP service. * SSH port was not requested * Filtering out Matthew's IP does not change the result output, meaning this was a targeted attack **2.3. Victim System:** * **User:** Matthew * **Operating System:** Windows 10 * **Hostname:** Matthew **3. Log Review & Analysis** **3.1. Event Logs (Key Events):** ![[Pasted image 20250417190710.png]] ![[Pasted image 20250417191442.png]] * **Event ID 4625 (Login Failure):** Numerous failed login attempts, primarily targeting the user account, were recorded preceding the successful login. Brute force attack. * **Event ID 4624 (Successful Login):** A successful RDP login was observed from the source IP address. This event confirms the compromise. * **Destination Address Filtering:** Analysis revealed that removing the destination address filter did *not* change the event volume. This strongly indicates a targeted attack against Matthew’s workstation. **4. Containment & Remediation Actions** * **Immediate Containment:** The affected workstation was immediately isolated from the network to prevent further access. * In a real environment, the following could also be conducted: * **Account Lockout:** [Create a group policy to enforce account lockout after a specified number of failed login attempts](https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-remote-access-client-account-lockout). * **Password Reset:** Reset users' passwords on confirmed compromise. * **System Scan:** Conduct full system scans using antimalware tools. * **System Rebuild:** In extreme cases, reimage the user's computer. **5. Recommendations** * **Strengthen RDP Security:** * **Multi-Factor Authentication (MFA):** Implement MFA for all RDP users. * **Network Level Authentication (NLA):** Enable NLA to restrict user access until the session is established. * **Restrict RDP Access:** Limit RDP access to only authorized users and systems. Consider using a VPN for RDP access. * **Disable RDP from the Internet:** Restrict RDP access to verified networks. * **Regular Patching:** Ensure Windows 10 is kept fully patched with the latest security updates to prevent exploits. * **Enhanced Monitoring:** Increase monitoring of RDP login attempts, focusing on unusual activity and geolocation. * **Threat Intelligence Integration:** Continuously update threat intelligence feeds to stay ahead of emerging threats.