This project demonstrates the detection and investigation of a Remote Desktop Protocol (RDP) brute force attack within a SOC-style monitoring environment.
The lab simulates an attacker attempting repeated authentication attempts against a Windows Server system over RDP while security logs are centrally collected and analyzed using Splunk SIEM.
The objective of the project was to identify brute force behavior, generate alerts, analyze attack patterns, and demonstrate incident detection and response workflows commonly performed by Security Operations Center (SOC) analysts.
- Detect brute force authentication attempts targeting RDP services
- Monitor failed Windows authentication events
- Generate SIEM alerts for suspicious login activity
- Investigate attacker behavior through log analysis
- Demonstrate SOC investigation and response workflows
Kali Linux Attacker (192.168.2.5)
│
▼
pfSense Firewall
│
▼
Windows Server Target (192.168.1.1)
│
▼
Splunk SIEM
| Category | Details |
|---|---|
| Project Type | Security Monitoring & Incident Detection |
| Security Focus | RDP Brute Force Detection |
| MITRE ATT&CK | T1110 – Brute Force |
| SIEM Platform | Splunk |
| Firewall | pfSense |
| Target Protocol | Remote Desktop Protocol (RDP) |
| Target Port | 3389 |
| Component | Details |
|---|---|
| Operating System | Kali Linux |
| IP Address | 192.168.2.5 |
| Network Zone | OPT1 (External) |
| Component | Details |
|---|---|
| Operating System | Windows Server |
| IP Address | 192.168.1.1 |
| Exposed Service | RDP |
| Port | 3389 |
| Network Zone | LAN (Intrenal) |
The attack simulation followed the steps below:
- Network reconnaissance was performed using Nmap
- RDP service exposure was identified on the target server
- Hydra was used to perform brute force authentication attempts
- Multiple failed login events were generated against the Administrator account
- Authentication logs were ingested into Splunk for analysis
Detection was performed using Splunk SIEM and Windows authentication logs.
The monitoring strategy focused on:
- High volumes of failed authentication attempts
- Repeated login failures from a single source IP
- Authentication attempts targeting privileged accounts
- RDP-related login activity
index=main EventCode=4625
| stats count by src_ip, user
| where count >= 5
This query identifies:
- Failed Windows authentication attempts
- Multiple authentication failures from the same source
- Potential brute force behavior against targeted accounts
The activity matched brute force attack behavior due to:
- Repeated failed authentication attempts
- Consistent source IP activity
- Continuous targeting of RDP services
- Multiple attempts against the same account
- Authentication threshold violations
The investigation confirmed suspicious authentication behavior consistent with MITRE ATT&CK technique T1110.
- Unauthorized remote access to systems
- Credential compromise risk
- Potential exposure of sensitive information
- Possible system configuration modification
- Deployment of malicious payloads
- Persistence establishment
- Operational disruption
- Potential downtime of remote services
The following remediation actions were identified:
- Block malicious source IP addresses
- Restrict external RDP exposure
- Enforce strong password policies
- Reset compromised credentials
- Enable account lockout protections
- Monitor failed authentication events continuously
- Validate system integrity after incident response
-
SIEM Monitoring
-
Threat Detection
-
Log Analysis
-
Security Event Correlation
-
Incident Investigation
-
SOC Operations
-
Windows Event Analysis
-
Splunk Query Development
-
Firewall Traffic Analysis
-
MITRE ATT&CK Mapping
- Mitre-attack-matrix overview
- Firewall Logs
- Exposed RDP services significantly increase attack surface
- Failed authentication monitoring is critical for early detection
- SIEM correlation rules improve detection efficiency
- Strong password policies reduce brute force success rates
- Centralized logging enhances visibility and investigation capability