security analyst security skill risk: medium
RDP Brute Force Event Log Analyzer
The prompt provides steps to detect RDP brute force attacks by exporting Windows Security Event Logs, parsing Event IDs 4625 and 4624 with python-evtx, identifying attack patterns…
SKILL 4 files · 2 folders
SKILL.md
--- name: detecting-rdp-brute-force-attacks description: "Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event" --- # Detecting RDP Brute Force Attacks ## Overview RDP brute force attacks target Windows Remote Desktop Protocol services by attempting rapid credential guessing against exposed RDP endpoints. Detection relies on analyzing Windows Security Event Logs for Event ID 4625 (failed logon with Logon Type 10 or 3) and correlating with Event ID 4624 (successful logon) to identify compromised accounts. This skill covers parsing EVTX files with python-evtx, identifying attack patterns through source IP frequency analysis, detecting NLA bypass attempts, and generating actionable detection reports. ## When to Use - When investigating security incidents that require detecting rdp brute force attacks - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `python-evtx`, `lxml` libraries - Windows Security EVTX log files (exported from Event Viewer or collected via WEF) - Understanding of Windows authentication Event IDs (4624, 4625, 4776) - Familiarity with RDP Logon Types (Type 3 for NLA, Type 10 for RemoteInteractive) ## Steps ### Step 1: Export Security Event Logs Export Windows Security logs to EVTX format using Event Viewer or wevtutil: ``` wevtutil epl Security C:\logs\security.evtx ``` ### Step 2: Parse Failed Logon Events Use python-evtx to parse Event ID 4625 entries, extracting source IP, target username, failure reason (Sub Status), and Logon Type fields. ### Step 3: Analyze Attack Patterns Identify brute force patterns by: - Counting failed logons per source IP within time windows - Detecting username spray attacks (many usernames from one IP) - Correlating 4625 failures with subsequent 4624 success from same IP ### Step 4: Generate Detection Report Produce a JSON report with top attacking IPs, targeted accounts, time-based analysis, and compromise indicators. ## Expected Output JSON report containing: - Total failed logon events and unique source IPs - Top attacking IPs ranked by failure count - Targeted usernames and failure sub-status codes - Successful logons following brute force attempts (potential compromises) - Time-series analysis of attack intensity
REQUIRED CONTEXT
- Windows Security EVTX log files
- python-evtx and lxml libraries
EXPECTED OUTPUT
- Format
- json
- Schema
- json_schema · Total failed logon events and unique source IPs, Top attacking IPs ranked by failure count, Targeted usernames and failure sub-status codes, Successful logons following brute force attempts (potential compromises), Time-series analysis of attack intensity
- Constraints
- include total failed logon events and unique source IPs
- rank top attacking IPs by failure count
- list targeted usernames and failure sub-status codes
- identify successful logons following brute force attempts
- provide time-series analysis of attack intensity
SUCCESS CRITERIA
- Detect RDP brute force attacks
- Identify attack patterns through source IP frequency analysis
- Generate actionable detection reports
CAVEATS
- Dependencies
- Python 3.9+ with python-evtx, lxml libraries
- Windows Security EVTX log files
- Understanding of Windows authentication Event IDs (4624, 4625, 4776)
- Familiarity with RDP Logon Types (Type 3 for NLA, Type 10 for RemoteInteractive)
- Ambiguities
- Description field cuts off mid-sentence: "for failed authentication patterns (Event"
QUALITY
- OVERALL
- 0.72
- CLARITY
- 0.80
- SPECIFICITY
- 0.75
- REUSABILITY
- 0.65
- COMPLETENESS
- 0.70
IMPROVEMENT SUGGESTIONS
- Add explicit placeholders (e.g., {{evtx_path}}, {{time_window}}) to increase reusability as a template.
- Specify exact JSON schema or example structure for the Expected Output report.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR SECURITY ANALYST
- Ransomware Network Indicators Analyzersecurity analystsecurity
- APT TTP Mapping with MITRE Navigatorsecurity analystsecurity
- Linux Persistence Mechanisms Analyzersecurity analystsecurity
- Azure AD Lateral Movement KQL Detectorsecurity analystsecurity
- Kerberos Golden Ticket Forgery Detectorsecurity analystsecurity
- LOLBAS Abuse Detection with Sigma Rulessecurity analystsecurity
- Shadow IT Cloud Usage Detectorsecurity analystsecurity
- Registry Run Key Persistence Detection Guidesecurity analystsecurity
- Detect Risky OAuth Consent Grants in Entra IDsecurity analystsecurity
- Windows Service Installation Threat Huntersecurity analystsecurity
- Web Server Log Intrusion Analyzersecurity analystsecurity
- Rekall Memory Forensics Artifact Extractorsecurity analystsecurity
- Azure Activity Logs Threat Analyzersecurity analystsecurity
- Scapy Network Packet Analysis Guidesecurity analystsecurity
- TLS Certificate Transparency Log Analyzersecurity analystsecurity
- Cobalt Strike Malleable C2 Profile Analyzersecurity analystsecurity
- Email Account Compromise Detection Proceduressecurity analystsecurity
- Credential Stuffing Auth Log Analyzersecurity analystsecurity
- MISP Threat Intelligence Sharing with PyMISPsecurity analystsecurity
- MISP Threat Landscape Analysis Guidesecurity analystsecurity
- Malicious Scheduled Task Sysmon Detectorsecurity analystsecurity
- Kerberos Pass-the-Ticket Attack Detectorsecurity analystsecurity
- NTLM Relay Attack Event Log Analyzersecurity analystsecurity
- Linux Memory Forensics with LiME and Volatilitysecurity analystsecurity
- Insider Data Exfiltration DLP Analyzersecurity analystsecurity