Skip to content
/ rdp_log_analysis Public

Explanation of analyzing RDP logs on ELK. Logs including: winlog, zeek.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hy-qqqqq/rdp_log_analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
NS_final_project.md
NS_final_project.md
 
 
NS_final_project.pdf
NS_final_project.pdf
 
 
README.md
README.md
 
 
Spec.pdf
Spec.pdf
 
 

Repository files navigation

Log analysis: Exposed RDP with weak password

Project in Network Security lecture.
Reference NS_final_project.md for detailed explanation.

RDP exposed

Vulnerabilities

  • weak credentials
    • the attacker may try to brute-force the weak credentials and gain access to the victim machine. As a result, we might see some failed to login messages in the logs.
  • unrestricted port access
    • some known ports, such as RDP (3389), SMB (445), mDNS (5353)
    • the attacker may do port scanning to find the open ports.

Techniques used in this scenario

  • Port-scanning
  • RDP brute-forcing
  • Ransomware execution

Content

  • IoC and the method to discover this attack
  • Timestamps of each technique used
  • Detection method

Others

ELK

  • ElasticSearch (9200 port) database
  • Logstash (5044 port) filter
  • Kibana (5601 port) visualization tool

Beats

  • winlogbeat with sysmon: security or any application messages
  • zeek: network traffic

About

Explanation of analyzing RDP logs on ELK. Logs including: winlog, zeek.

Topics

log-analysis ransomware port-scanning rdp-exposed

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages