Context
At approximately 17:00, Wazuh SIEM triggered multiple authentication failure alerts on WIN-SERVER (192.168.10.102).
A total of 175 Event ID 4625 (failed logon) alerts were generated within less than 60 seconds, all targeting the Administrator account via RDP (port 3389).
The source IP 192.168.10.101 corresponds to a Kali Linux machine on the internal LAN segment managed by pfSense.
The volume of authentication failures strongly suggests an automated brute force tool (confirmed: Hydra was used in this lab simulation).
Investigation Steps
- Identified the alert spike in Wazuh Security Events dashboard — 175 Event ID 4625 in under 60 seconds.
- Confirmed source IP (192.168.10.101) and destination (192.168.10.102 — WIN-SERVER).
- Verified no successful authentication (Event ID 4624) occurred during the attack window.
- Checked RDP port 3389 exposure via Nmap from attacker machine — confirmed open at time of attack.
- Reviewed Windows Firewall rules — RDP was explicitly enabled prior to the attack.
- Confirmed attack tool via lab context (Hydra with rockyou.txt wordlist targeting RDP).
- Disabled RDP and closed SMB port after investigation.
Findings
- 175 failed authentication attempts were recorded in under 60 seconds — a clear indicator of automated brute force.
- All attempts targeted the Administrator account, a high-value default account.
- The attack originated from 192.168.10.101 (Kali Linux) on the internal LAN — same network segment as the target.
- No successful logon was detected during the attack window.
- RDP (port 3389) was reachable from the internal network without additional authentication controls (no NLA enforced).
- Wazuh rule level 5 was assigned — indicating a notable security event requiring investigation.
MITRE ATT&CK (Still learning… this mapping may contain errors)
| Tactic | Technique | ID |
|---|---|---|
| Credential Access | Brute Force: Password Guessing | T1110.001 |
| Initial Access | Exploit Public-Facing Application (RDP) | T1190 |
| Lateral Movement | Remote Services: Remote Desktop Protocol | T1021.001 |
IOCs (Indicators of Compromise)
| Type | Indicator | Notes |
|---|---|---|
| IP | 192.168.10.101 | Source of brute force attack (Kali Linux) |
| IP | 192.168.10.102 | Target machine (WIN-SERVER) |
| Port | 3389/TCP | RDP — targeted service |
| Account | Administrator | Targeted account |
| Event ID | 4625 | Windows failed logon event |
| Tool | Hydra | Brute force tool identified (lab context) |
| Wordlist | rockyou.txt | Password list used in attack |
Timeline
| Time | Event |
|---|---|
| 16:55 | RDP enabled on WIN-SERVER for investigation purposes |
| 17:00 | Hydra brute force attack launched from 192.168.10.101 |
| 17:00 | Wazuh begins recording Event ID 4625 alerts |
| 17:01 | 175 failed authentication attempts recorded in under 60 seconds |
| 17:01 | Attack stopped (Ctrl+C) — no successful logon |
| 17:05 | Investigation started in Wazuh Security Events |
| 17:10 | Source IP and attack pattern confirmed |
| 17:15 | RDP disabled, SMB port closed, containment complete |
| 17:20 | Case documented |
Outcome
The brute force attack was successfully detected by Wazuh via Event ID 4625 correlation.
No credentials were compromised. RDP access was disabled immediately after investigation.
The attack highlights the risk of exposing RDP on internal network segments without additional controls.
Lessons Learned
- RDP should never be exposed without Network Level Authentication (NLA) — enforce NLA as a baseline control.
- Account lockout policies should be configured on Windows Server to automatically block accounts after N failed attempts (recommended: 5 attempts, 30-minute lockout).