LetsDefend Academy

Online practicing and training platform for blue team members

Detecting Brute Force

In this section, we will catch an attacker who is in the lateral movement phase. The attacker is trying to jump to the other machine by brute force over RDP.

Download log file: Log_File.zip Pass=321

When an unsuccessful login operation is made on RDP, the "Event ID 4625 - An account failed to log on" log is generated. If we follow this log, we can track down the attacker.

After filtering, we see 4 logs with 4625 Event IDs.

When we look at the dates, we see that the logs are formed one after the other. When we look at the details, it is seen that all logs are created for the "LetsDefendTest" user.

As a result, we understand that the attacker has unsuccessfully attempted to login 4 times. To understand whether the attack was successful or not, we can search for the 4624 logs we saw in the previous section.

As can be seen from the results, the attacker succeeded in connecting to the system with the 4624 log after the 4625 logs.