Bruteforce Writeup | Blue Team Labs Online

Scenario

Can you analyze logs from an attempted RDP brute-force attack?

One of our system administrators identified a large number of Audit Failure events in the Windows Security Event log. There are various ways to analyze these logs — consider using the suggested tools, but feel free to explore other methods as well!

File Formats Provided
The challenge provided the event log data in three formats: .csv, .evtx, and .txt.

For this analysis, I chose the .txt format due to its simplicity and compatibility with command-line tools like grep and awk. While the .csv format is suited for spreadsheet tools, and the .evtx format works well with Windows Event Viewer, the plain-text format enabled a faster and more flexible analysis directly on the terminal.

1) How many Audit Failure events are there?

Format: Count of Events

cat BTLO_Bruteforce_Challenge.txt | grep -i "failure" | sort | uniq -c

Answer: 3103

2) What is the username of the local account being targeted?

Format: Username

cat BTLO_Bruteforce_Challenge.txt | less

Answer: administrator

Format: String

Answer: Unknown user name or bad password

4) What is the Windows Event ID associated with these logon failures?

Format: ID

The Windows Event logs assign a unique Event ID to each event. Event ID 4624 corresponds to a successful logon, while Event ID 4625 corresponds to a failed logon attempt.

Answer: 4625

5) What is the source IP conducting this attack?

Format: X.X.X.X

cat BTLO_Bruteforce_Challenge.txt | grep "Source Network Address" | sort | uniq -c

The grep command searches for lines containing "Source Network Address," which represents the IP address of the attacker. Sorting and filtering unique values help pinpoint the exact source.

Answer: 113.161.192.227

6) What country is this IP address associated with?

Format: Country

By querying the IP address 113.161.192.227 in Censys, we determined that the attacker originated from Vietnam. Censys provides detailed metadata, including geolocation, which helps identify the source country of the IP.

Answer: Vietnam

Format: LowestPort-HighestPort (e.g., 100–541)

Answer: 4916-65534

Bruteforce Writeup | Blue Team Labs Online

Scenario

1) How many Audit Failure events are there?

2) What is the username of the local account being targeted?

4) What is the Windows Event ID associated with these logon failures?

5) What is the source IP conducting this attack?

6) What country is this IP address associated with?

More from this blog

Cyber Talents – G&P List (Forensics Challenge) Writeup

Cyber Talents - Cypher Anxiety Writeup

CyberDefenders - Tomcat Takeover Lab Writeup

TryHackMe - TShark Challenge II: Directory

TryHackMe – TShark Challenge I: Teamwork

Command Palette

Scenario

1) How many Audit Failure events are there?

2) What is the username of the local account being targeted?

3) What is the failure reason related to the Audit Failure logs?

4) What is the Windows Event ID associated with these logon failures?

5) What is the source IP conducting this attack?

6) What country is this IP address associated with?

7) What is the range of source ports used by the attacker to make these login requests?

More from this blog