Possible external RDP Brute-Force

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Identity Analytics

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Guessing (T1110.001)

Severity

Low

Description

Multiple failed remote logins originated from an external ip with at least one successful login.
This may indicate a successful brute-force attack.

Attacker's Goals

The attacker attempts to gain access to the accounts.

Investigative actions

  • If the source IP is an internal IP, adjust network ip ranges.
  • Identify the user performing RDP and check that it is authorized.
  • Check whether this IP has a malicious reputation.
  • Reset the user's password.
  • Follow further actions done by the user.

Variations

Potential External Brute-Force via RDP on Sensitive User

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Guessing (T1110.001)

Severity

Medium

Description

Multiple failed remote logins from an external IP with a sensitive user and at least one successful login.
This may indicate a successful brute-force attack.

Attacker's Goals

The attacker attempts to gain access to the accounts.

Investigative actions

  • If the source IP is an internal IP, adjust network ip ranges.
  • Identify the user performing RDP and check that it is authorized.
  • Check whether this IP has a malicious reputation.
  • Reset the user's password.
  • Follow further actions done by the user.