DEV Community

Cover image for #DAY 7: From Data to Detection
Samuel Adeduntan
Samuel Adeduntan

Posted on

#DAY 7: From Data to Detection

#threatdetection #dfirlab #securitymonitoring #cybersecurity

Querying Windows Events and Hunting for Brute Force Attacks

Introduction
Turning raw event data into actionable detections was the focus of day seven. I used Splunk's Windows Event Logs query to find trends in authentication, and I used detection logic to look for brute force assaults. This exercise reinforced the importance of data-driven security investigations by demonstrating how targeted research and structured queries can reveal hidden vulnerabilities.

Objective
The objective is to query Windows Event Logs to identify and investigate potential brute force attacks by analyzing patterns of failed logon attempts and account lockouts.

To leverage Splunk's search language, create a detection for brute force attacks and build a dashboard for monitoring Windows security events.

The Use Case: Detecting Brute Force Attacks

Detecting brute force attacks involves monitoring Windows Event Logs for patterns of repeated failed logon attempts, often followed by account lockouts. By analyzing Event IDs such as 4625 (failed logon) and 4740 (account lockout), organizations can identify malicious activity, trace the source IP, and take proactive measures to mitigate the threat.

Understanding the Adversary's Playbook

What is a Brute Force Attack?
An automated process that attempts numerous username/password combinations to gain unauthorized access to a system.

Why is it a Critical Alert? It is a common, high-volume attack that often precedes a significant security breach. Early detection is crucial.

Where to Look? The Windows Security Event Log is the primary source of truth for authentication events on a Windows system.

Query
This involves understanding how to search for event logs on the Splunk dashboard and interpret their findings. Using the enterprise version, go to search and reporting.

screenshot1

Building the Detection Search

From Basic Filtering to Advanced Analytics
A simple filter isn't enough. We need to find patterns of failure.
The Advanced Brute Force Detection Search:
sourcetype="WinEventLog: Security" EventCode=4625
| stats count by _time, user, src_ip
| where count > 5
| sort - count

Breaking Down the SPL
sourcetype="WinEventLog:Security" EventCode=4625: Finds all failed logins.

| stats count by _time, user, src_ip: Groups them to count how many failures per user, from each source IP, over time.

| where count > 5: Filters to only show activity where failures exceed a threshold (e.g., 5 in a short period).

| sort - count: Ranks the results with the most aggressive attacks at the top.

Use Cases: Bruteforce Attack
Looking into security logs, it deals with an authentication attempt
And to investigate, here is how I put the command to be run on the earth to filter through the whole logs

screenshot2

To Understand the Event ID of a Brute Force Attack
Windows logs every action as an "Event" with a unique Event ID.

For Authentication, remember these key IDs:
Event ID 4624: A successful login. (A "good" event)
Event ID 4625: A failed login attempt. (The "smoking gun" for a brute force attack)

Your First Search: Find all failed logins.
sourcetype="WinEventLog: Security" EventCode=4625

  1. Event ID 4625:

    • Indicates a failed logon attempt.
    • Look for repeated occurrences from the same source IP or account.

  2. Event ID 4740:

    • Signals an account lockout after multiple failed logon attempts.
    • Correlate with Event ID 4625 to identify brute force attack patterns.

By analyzing these Event IDs, you can detect and investigate brute force attacks effectively.

screenshot3

Security Event log command
screenshot4

How to create an alert
What this means is that once this command is saved as an alert, it will continuously run. Once it detects any brute force attack, it will raise an alert.

screenshot5

From Search to Alert: Automating Your Detection
Why Create an Alert? So you don't have to run this search manually forever. The SOC needs to be notified automatically.

How to Create the Alert: Save your validated search.

Click Save As > Alert.

Please set it to run every 5 minutes (for a lab) or 1 minute (for a production SOC).
Trigger Conditions: Choose "Number of Results" and set it to > 0.
Trigger Actions: Configure it to send an email or add a notable event to Splunk ES.

screenshot6

Brute force alert
screenshot7

Brute force alert details
screenshot8

Simulating the Attack: Testing Your Detection
How to Test: Simulate an attack against your Windows Server from a Linux VM on another machine.

A Common Tool: Use Hydra on Linux to simulate a brute force attack against a service like RDP or SSH on the Windows server.

Example Command: hydra -L userlist.txt -P passlist.txt rdp://

Why This is Vital: This proves your detection works in a controlled environment before you need it in a real one.

Simulation of brute-force attack
I run a brute force attack on my Linux system against the Windows server, targeting the Active Directory, by executing this command on the Linux system.

screenshot9

Event Logs of a Brute Force Attack on Splunk

  1. Ingest Windows Event Logs:
    • Configure the Universal Forwarder to collect logs from the Windows Security log.
  2. Search for Relevant Event IDs:
    • Use the following query to search for brute force attack indicators:spl 
index=windows EventCode=4625 OR EventCode=4740
Enter fullscreen mode Exit fullscreen mode 
- Event Code **4625** indicates failed logon attempts.
- Event Code **4740** indicates account lockouts.
Enter fullscreen mode Exit fullscreen mode
  1. Filter and Analyze:
    • Filter results by source IP, account name, and time to identify patterns of brute force attacks.
  2. Create Alerts:
    • Set up alerts to notify when multiple failed logon attempts or account lockouts occur within a short time frame.

This approach helps detect and investigate brute force attacks using Splunk.

screenshot10

Linux Bruteforce attack
screenshot11

Creating the SOC's View
Goal: Give a security analyst a real-time view of authentication activity.
Run your search: sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625)
Click Save As > Dashboard Panel.
Choose to create a New Dashboard.
Select a Visualization type. A Column Chart showing count by EventCode or a Table showing top users by count are excellent choices.

Result: You now have a central pane of glass for watching login behavior.

Visualizing the Threat: Building a Dashboard
Run your search: sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4625)

screenshot12

Click Save As > Dashboard Panel.
Save the panel to the New Dashboard and choose your style of Dashboard view
Choose to create a New Dashboard

screenshot13

Overview of my brute force attack alert dashboard

screenshot14

Day 7 Reflection: The Pinnacle of SOC Work
Goals Achieved:
I understood critical Windows Event IDs for security.
Developed a sophisticated SPL search to identify and detect an attack pattern.
Automated the detection by creating an alert.
Tested the alert by simulating an attack.
Built a dashboard for visualization.

Day 7 represents the core function of a SOC Analyst: turning raw data into actionable security intelligence and moving from passive observation to active hunting and automated detection.

Top comments (0)