logo
HomeLearnPracticeChallenge
Pricing
  • For Individuals
  • For Students
  • For Teams
  • Live Chat
  • Help Center
  • Forum
  • Ask a Question
  • Edit Profile
  • My Rewards
  • Subscription
  • Public Profile
  • Logout
  • MonitoringLog ManagementCase ManagementEndpoint SecurityEmail SecurityThreat IntelSandbox
Lets Defend

Resources

  • Blog
  • MITRE ATT&CK Map
  • Dictionary
  • Use Cases

Community

  • Discord
  • Contribute

Roles

  • SOC Analyst
  • Incident Responder
  • Detection Engineer
  • DFIR
  • Cloud Security Engineer
  • Information Security Specialist

Support

  • Contact us
  • Help Center
  • Forum
  • Walkthroughs
  • Tour

Social

All Rights Reserved ©2025 | Privacy Policy | Terms of Service

footer sub image
Lets Defend

Resources

  • Blog
  • MITRE ATT&CK Map
  • Dictionary
  • Use Cases

Community

  • Discord
  • Contribute

Roles

  • SOC Analyst
  • Incident Responder
  • Detection Engineer
  • DFIR
  • Cloud Security Engineer
  • Information Security Specialist

Support

  • Contact us
  • Help Center
  • Forum
  • Walkthroughs
  • Tour

Social

All Rights Reserved ©2025

Privacy Policy | Terms of Service
footer sub image
Score
54%
Playbook Success Rate
45%
Investigation Time
9 Minutes
SOC Alert Details
SEVERITYDATERULE NAMEEVENTIDTYPE
MediumMar, 07, 2024, 11:44 AMSOC176 - RDP Brute Force Detected234Brute Force
EventID :
234
Event Time :
Mar, 07, 2024, 11:44 AM
Rule :
SOC176 - RDP Brute Force Detected
Level :
Security Analyst
Source IP Address :
218.92.0.56
Destination IP Address :
172.16.17.148
Destination Hostname :
Matthew
Protocol :
RDP
Firewall Action :
Allowed
Alert Trigger Reason :
Login failure from a single source with different non existing accounts
Show Hint
Playbook Answers
Question:Should the device be isolated?
User answer:Yes
Question:Log Management
User answer:Yes
Question:Determine the Scope
User answer:No
Question:Traffic Analysis
User answer:No
Correct Answer:Yes
Question:IP Reputation Check
User answer:Yes
Question:Enrichment & Context
User answer:External
Playbook Note
On March 7, 2024, at 11:44 AM, our SIEM detected a brute force attack on RDP, flagged under rule SOC176. The source IP 218[g]92.0.56 identified as originating from China made multiple login attempts using various non-existing accounts against host "Matthew" (IP: 172[g]16.17.148). Following a successful login, the attacker executed several commands (launching cmd.exe, running "whoami", checking user accounts with "net user letsdefend", listing local administrators, and running "netstat -ano") at 11:45:18 to probe the system. Swift containment actions were taken, and Matthew’s workstation has been isolated to prevent any further compromise.
Extracted Artifacts
ValueCommentType
218[g]92.0.56Malicious IPIP Address
ChinaMalicious IP LocationE-mail Domain
Alert Answers
Question:Is this alert True Positive or False Positive?
User answer:
Alert Note
On March 7, 2024, at 11:44 AM, our SIEM detected a brute force attack on RDP, flagged under rule SOC176. The source IP 218[g]92.0.56 identified as originating from China made multiple login attempts using various non-existing accounts against host "Matthew" (IP: 172[g]16.17.148). Following a successful login, the attacker executed several commands (launching cmd.exe, running "whoami", checking user accounts with "net user letsdefend", listing local administrators, and running "netstat -ano") at 11:45:18 to probe the system. Swift containment actions were taken, and Matthew’s workstation has been isolated to prevent any further compromise.