RDP_BRUTEFORCE(incident response challenge)-BlueTeamsLabsOnline

Hello World! Today i am doing a writeup for a Challenge from BTLO. We will analyze Windows logs to identify RDP Bruteforce attacks. We will learn about event ids and how windows logs are structured.We will also perform some OSINT to identify from where we are being attacked. In the end we will also explore how to manipulate text to get the results we want using utilities like sort,sed,grep.

we start by downloading zip file containing logs

we are given three files ,these all contain same content,just in different format

The original log file is with evtx extension because windows store its log in binary format for faster and efficient processing , unlike plaintext syslog format from unix systems.

Q1 How many Audit Failure events are there?

audit logs

Audit failure is when a login attempt to computer was made and failed .Windows records its events with event ids. This has an event id 4625.Since we have a very large log file we can simply grep for amount of failed event ids

It gives us 3104 counts but for some reason this was incorrect answer so i tried grepping the failed logon attempt error and we got count of 3103, Which is the correct answer . But its better to deal in terms of event ids .

Answer : 3103

Q2 What is the username of the local account that is being targeted?

This one is simple because we can see the username from the log

Answer : administrator

Q3 What is the failure reason related to the Audit Failure logs?

Again we can see the reason in the log file

Answer :Unknown user name or bad password

Q4 What is the Windows Event ID associated with these logon failures?

I have already mentioned the event id related to these kind of attacks.

Answer : 4625

Q5 What is the source IP conducting this attack?

we can see the source ip and port in network information of the recorded event

Answer : 113.161.192.227

Q6 What country is this IP address associated with?

we can perform a ip lookup via cli using whois

VN stands for vietnam

Answer : Vietnam

Q7 What is the range of source ports that were used by the attacker to make these login requests? (LowestPort-HighestPort — Ex: 100–541)

we first grep all the lines containg port numbers

since we have so many ports and have to find lowest and higher port , we need only the port numbers and need to remove rest of text and blankspaces

this remove the text “Source Port:”

now we still need to tune our file because we have tabs/spaces before port numbers on each line

spaces removed

this will remove all the spaces

we can use sort utility to sort out the ports

Answer : 49162–65534