RDP_BRUTEFORCE(incident response challenge)-BlueTeamsLabsOnline
Hello World! Today i am doing a writeup for a Challenge from BTLO. We will analyze Windows logs to identify RDP Bruteforce attacks. We will learn about event ids and how windows logs are structured.We will also perform some OSINT to identify from where we are being attacked. In the end we will also explore how to manipulate text to get the results we want using utilities like sort,sed,grep.
we start by downloading zip file containing logs
we are given three files ,these all contain same content,just in different format
The original log file is with evtx extension because windows store its log in binary format for faster and efficient processing , unlike plaintext syslog format from unix systems.
Q1 How many Audit Failure events are there?
Audit failure is when a login attempt to computer was made and failed .Windows records its events with event ids. This has an event id 4625.Since we have a very large log file we can simply grep for amount of failed event ids
It gives us 3104 counts but for some reason this was incorrect answer so i tried grepping the failed logon attempt error and we got count of 3103, Which is the correct answer . But its better to deal in terms of event ids .
Answer : 3103
Q2 What is the username of the local account that is being targeted?
This one is simple because we can see the username from the log
Answer : administrator
Q3 What is the failure reason related to the Audit Failure logs?
Again we can see the reason in the log file
Answer :Unknown user name or bad password
Q4 What is the Windows Event ID associated with these logon failures?
I have already mentioned the event id related to these kind of attacks.
Answer : 4625
Q5 What is the source IP conducting this attack?
we can see the source ip and port in network information of the recorded event
Answer : 113.161.192.227
Q6 What country is this IP address associated with?
we can perform a ip lookup via cli using whois
VN stands for vietnam
Answer : Vietnam
Q7 What is the range of source ports that were used by the attacker to make these login requests? (LowestPort-HighestPort — Ex: 100–541)
we first grep all the lines containg port numbers
since we have so many ports and have to find lowest and higher port , we need only the port numbers and need to remove rest of text and blankspaces
this remove the text “Source Port:”
now we still need to tune our file because we have tabs/spaces before port numbers on each line
this will remove all the spaces
we can use sort utility to sort out the ports
Answer : 49162–65534