Windows Brute-Force Login Attack Analysis

Someday I needed to access my desktop at home from a office remotely. I configured RDP allowance setting on it which is Windows 10 before leaving home and noted the public IP address. So I could log in into my desktop over Remote Desktop Service. By the way I came up with how much my desktop was secure during the opening.

Extract Login Failed Windows Event Log

Firstly I extracted Windows Event Logs where ID is 4625 with the following PowerShell commands.

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625 } | 
ForEach-Object {
  New-Object PSObject -Property ([ordered]@{
  TimeCreated = $_.TimeCreated.ToString("yyyy-MM-dd hh:mm:ss")
  User = $_.Properties[5].Value
  LogonType = $_.Properties[10].Value
  SourceIP = $_.Properties[19].Value
})
} | Export-Csv -Path C:\Work\EventLogs-4625.csv

Given the raw data including date and time, and source IP address, we can make a timeline graph as below. As you can see in the graph, the maximum login attack attempts was about 350 times in a hour.

I realized that threat actors are working hard to find any vulnerable system. In addution, you can download the raw data. EventLogs-4625

Extract Login Succeeded Windows Event Log

To make sure who unknown logged in my system, we can check Windows Event Log where ID is 4624. Here is a sample PowerShell script to extract the Windows Event Log.

$args = @{}
$args.Add("StartTime", ((Get-Date).AddHours(-24)))
$args.Add("EndTime", (Get-Date))
$args.Add("LogName", "Security")
$args.Add("Id", 4624)

Get-WinEvent -FilterHashtable $args | ForEach-Object {
New-Object PSObject -Property ([ordered]@{
  TimeCreated = $_.TimeCreated
  User = $_.Properties[5].Value
  LogonType = $_.Properties[8].Value
  LogonProcessId = $_.Properties[16].Value
  LogonProcess = $_.Properties[17].Value
  WorkstationName = $_.Properties[18].Value
  SourceIP = $_.Properties[19].Value
})
} | Where-Object LogonType -eq 7 | Format-Table

 

Windows Version

There are two types of Windows version.
1. Release verion
2. Build version

How to check the version

1. on Registry

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
"CurrentMajorVersionNumber"==(REG_DWORD)0x0a
"CurrentMinorVersionNumber"==(REG_DWORD)0x00
"CurrentBuildNumber"==(REG_SZ)17134
---
"CurrentBuild"==(REG_SZ)17134
"CurrentVersion"==(REG_SZ)6.3

2. by using command

C:> systeminfo

Python readline()

 

import os, sys

fp = open(filepath, 'r')
line = fp.readline()
cnt = 1
while line:
   print("Line {}: {}".format(cnt, line.strip()))
   cnt += 1
   line = fp.readline()

Linux Initial Sweep

While we response any incident, we should make a list including indicators for instance IP address, domain name, file name and path, etc. With the indicator, we check if there is missing evidence or initial sweep.

$ grep -E -f ../IOCs/knownbad.txt ./*.log > ../result.txt
$ cat ../IOCs/knownbad.txt
\bws0\.txt
markup%5D=
[TRIMMED]

Must-Have Analysis Tools

Here is my initial installed program when I create my OS for incident analysis and response. All most is freeware and GUI. However I like CLI as well.

• 7z – Compressor
• IDA Pro Freeware – Static RCE
• OllyDbg – Dynamic RCE
• WinDbg
• PE
  • PEStuido – PE Analyzer
  • BinText – Strings
  • HxD – Binary Viewer
  • VirusTotal Desktop
• Digital Forensic
  • FTK Imager, OSF Mount
  • Volatility
  • Windows Event Viewer / Splunk
• Windows Artifacts – http://live.sysinternals.com
  • autoruns.exe
  • procexp.exe
  • Procmon.exe
• VirtualBox / VMware Workstation
• Development
  • Python, Anaconda, Jupyter
  • TortoiseSVN, SourceTree for Git, WinMerge
• Office Tools
  • Picpick – Screen Capture
  • Google Docs / Microsoft Office
  • Notepad++