Full Report
Jordan Drysdale // Summary! There are tons of security event management (SIEM) solutions available these days, but this blog will focus on Microsoft Sentinel. Sentinel is easy to deploy, logs […] The post Geopolitical Cyber-Detection Lures for Attribution with Microsoft Sentinel appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: RDP/SSH Brute-Force Enumeration via SIEM Analysis
## Overview
This summary details a technique focused on using **Microsoft Sentinel** and **Log Analytics (LA)** to actively monitor and attribute high-volume brute-force attacks targeting publicly exposed **Remote Desktop Protocol (RDP)** and **Secure Shell (SSH)** services in real-time. The goal is to generate local threat intelligence by parsing authentication event logs (Windows Event ID 4624/4625 and Linux Syslog "Failed Password") and correlating source IP addresses, often revealing geopolitical patterns in the attacks.
## Technical Details
- Type: Technique (Log Analysis/Threat Hunting)
- Platform: Windows (for RDP via EID 4624/4625) and Linux (for SSH via Syslog/authpriv facility)
- Capabilities: Real-time tracking of authentication failures, source IP identification, GeoIP correlation, and threat attribution based on traffic origin.
- First Seen: Information references work stemming from Applied Purple Teaming in 2022.
## MITRE ATT&CK Mapping
This technique primarily focuses on detection and analysis of initial access and brute-force attempts.
- **TA0001 - Initial Access**
- **T1133 - External Remote Services** (Applicable to RDP and SSH exposure)
- **TA0003 - Persistence** (If successful logins occur, though the focus is enumeration)
- **T1078.003 - Valid Accounts: Local Accounts** (Authentication attempts target local accounts)
- **TA0008 - Lateral Movement** (Related if successful access leads to internal movement)
- **T1021 - Remote Services** (RDP: T1021.001; SSH: T1021.004)
## Functionality
### Core Capabilities
- **RDP Monitoring:** Parsing Windows Security Event IDs 4624 (Logon Success) and 4625 (Logon Failure) to track failed login attempts against RDP exposure.
- **SSH Monitoring:** Parsing Linux `authpriv` and `auth` Syslog facilities for messages containing "Failed password" attributed to specific users and source IPs.
- **Rapid Threat Readout:** Providing an instant, real-time summary of threats faced by internet-exposed assets.
### Advanced Features
- **Custom Threat Intelligence Generation:** Creating proprietary threat intelligence based on observed attack sources, which the article suggests may be more timely or relevant than commercial feeds.
- **Geopolitical Attribution:** Observing distinct geographic patterns: RDP attacks primarily sourced from Russian IP blocks, and SSH attacks primarily sourced from Southeast Asian IP blocks.
- **Query Templates:** Utilizing specific Kusto Query Language (KQL) queries ("Pierce’s RDP attribution query" and "Pierce’s SSH attribution query") within Sentinel for streamlined analysis.
## Indicators of Compromise
The technical details focus on *behaviors* derived from logs rather than statically famous malware indicators.
- File Hashes: N/A (Focus is on network/log analysis)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: High volume of connection attempts from specific source IPs targeting TCP ports 3389 (RDP) or 22 (SSH). **Note:** Specific hostile IPs are intended to be identified and blocked by users running the queries, not listed here.
- Behavioral Indicators: Event IDs 4625 occurring at high frequency, repeated "Failed password for user from IP" entries in SSH logs.
## Associated Threat Actors
- **Script Kiddies/Automated Botnets:** Uncaring adversaries who script mass attacks against exposed services.
- **Geographically Specific Actors:** The reports suggest correlation between attack origin and service type (e.g., Russian blocks targeting RDP, Southeast Asian blocks targeting SSH).
## Detection Methods
Detection is achieved through proactive logging and querying within the SIEM platform.
- **Signature-based detection:** Not the primary focus, though specific IP blocks can be signatured for blocking.
- **Behavioral detection:** Analyzing high frequency of EID 4625 or "Failed Password" messages, indicating brute-force.
- **YARA rules if available:** N/A
## Mitigation Strategies
The primary mitigation strategy discussed is *detection and blocking* based on the gathered intelligence.
- **Log Collection:** Ensuring VMs have the Log Analytics agent installed and correctly configured to ingest:
- Windows Security Events (EIDs 4624, 4625).
- Linux Syslogs, specifically adding the `authpriv` and `auth` facilities in the LA workspace agent configuration.
- **Blocking:** Advising organizations to *block all traffic* originating from the identified networks participating in the aggressive brute-force campaigns discovered via the query results.
- **General Hardening:** The context heavily implies that exposing RDP and SSH to the public internet is inherently risky, implicitly suggesting limiting exposure.
## Related Tools/Techniques
- **Microsoft Sentinel:** The SIEM platform used for log aggregation and query execution (KQL).
- **Log Analytics (LA) Workspace:** The underlying data store.
- **GeoIP Mapping:** The practice of comparing source IPs against a GeoIP database to perform attribution.
- **General Brute-Force Attacks (T1110):** The underlying activity being monitored.