updating detection

detections/network/remote_desktop_network_bruteforce.yml

@@ -1,44 +1,47 @@
 name: Remote Desktop Network Bruteforce
 id: a98727cc-286b-4ff2-b898-41df64695923
-version: 5
-date: '2024-10-16'
-author: Jose Hernandez, Splunk
-status: experimental
+version: 6  
+date: '2025-01-10'
+author: Jose Hernandez, Bhavin Patel, Splunk
+status: production
 type: TTP
-description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects anomalies by filtering source and destination pairs that generate traffic exceeding twice the standard deviation of the average traffic. This method leverages the Network_Traffic data model to identify unusual patterns indicative of brute force attempts. This activity is significant as it may indicate an attacker attempting to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise.
-data_source: []
+description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 successful connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
+data_source:
+- Sysmon EventID 3
 search: >-
-  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port 
-  | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 
-  | where count>(avg + stdev*2) 
-  | rename All_Traffic.src AS src All_Traffic.dest AS dest 
-  | table firstTime lastTime src dest count avg p50 stdev 
+  | tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port All_Traffic.user All_Traffic.vendor_product 
+  | `drop_dm_object_name("All_Traffic")` 
+  | eval duration=lastTime-firstTime 
+  | where count > 10 AND duration < 3600 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
   | `remote_desktop_network_bruteforce_filter`
-how_to_implement: You must ensure that your network traffic data is populating the
-  Network_Traffic data model.
-known_false_positives: RDP gateways may have unusually high amounts of traffic from
-  all other hosts' RDP applications in the network.
-references: []
+how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. Adjust the count and duration thresholds as necessary to tune the sensitivity of your detection.
+known_false_positives: RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.Any legitimate RDP traffic using wrong/expired credentials will be also detected as a false positive.
+references:
+- https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack
+- https://www.reliaquest.com/blog/rdp-brute-force-attacks/
 tags:
   analytic_story:
   - SamSam Ransomware
   - Ryuk Ransomware
+  - Compromised User Account
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: $dest$ may be the target of an RDP Bruteforce
+  message: $dest$ may be the target of an RDP Bruteforce from $src$
   mitre_attack_id:
-  - T1021.001
-  - T1021
+  - T1110.001
+  - T1110
   observable:
   - name: dest
     type: Hostname
     role:
     - Victim
   - name: src
-    type: Hostname
+    type: IP Address
     role:
-    - Victim
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -51,3 +54,9 @@ tags:
   - All_Traffic.dest_port
   risk_score: 25
   security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog