EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Windows Remote Desktop Network Bruteforce Attempt

The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.

MITRE ATT&CK

T1110.001

Detection Query

| tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime values(Al_Traffic.src_port) as src_port FROM datamodel=Network_Traffic
  WHERE (
        All_Traffic.app=rdp
        OR
        All_Traffic.dest_port=3389
    )
  BY All_Traffic.action All_Traffic.app All_Traffic.dest
     All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction
     All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
     All_Traffic.src All_Traffic.src_ip All_Traffic.transport
     All_Traffic.user All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| eval duration=lastTime-firstTime
| where count > 10 AND duration < 3600
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_desktop_network_bruteforce_attempt_filter`

Author

Jose Hernandez, Bhavin Patel, Splunk

Created

2026-03-10

Data Sources

Sysmon EventID 3

References

Tags

SamSam RansomwareRyuk RansomwareCompromised User AccountWindows RDP Artifacts and Defense Evasion
Raw Content
name: Windows Remote Desktop Network Bruteforce Attempt
id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d
version: 7
date: '2026-03-10'
author: Jose Hernandez, Bhavin Patel, Splunk
status: production
type: Anomaly
description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
data_source:
    - Sysmon EventID 3
search: |-
    | tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime values(Al_Traffic.src_port) as src_port FROM datamodel=Network_Traffic
      WHERE (
            All_Traffic.app=rdp
            OR
            All_Traffic.dest_port=3389
        )
      BY All_Traffic.action All_Traffic.app All_Traffic.dest
         All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction
         All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
         All_Traffic.src All_Traffic.src_ip All_Traffic.transport
         All_Traffic.user All_Traffic.vendor_product
    | `drop_dm_object_name("All_Traffic")`
    | eval duration=lastTime-firstTime
    | where count > 10 AND duration < 3600
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_remote_desktop_network_bruteforce_attempt_filter`
how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. Adjust the count and duration thresholds as necessary to tune the sensitivity of your detection.
known_false_positives: RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.Any legitimate RDP traffic using wrong/expired credentials will be also detected as a false positive.
references:
    - https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack
    - https://www.reliaquest.com/blog/rdp-brute-force-attacks/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $dest$ may be the target of an RDP Bruteforce from $src$
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - SamSam Ransomware
        - Ryuk Ransomware
        - Compromised User Account
        - Windows RDP Artifacts and Defense Evasion
    asset_type: Endpoint
    mitre_attack_id:
        - T1110.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog