mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
feat: add 5 new cybersecurity skills - RDP brute force, Covenant C2, Calico network policies, heap spray analysis, T1098 hunting
This commit is contained in:
@@ -0,0 +1,68 @@
|
||||
# API Reference: Detecting RDP Brute Force Attacks
|
||||
|
||||
## Windows Security Event IDs
|
||||
|
||||
| Event ID | Description | Key Fields |
|
||||
|----------|-------------|------------|
|
||||
| 4625 | Failed logon attempt | TargetUserName, IpAddress, SubStatus, LogonType |
|
||||
| 4624 | Successful logon | TargetUserName, IpAddress, LogonType |
|
||||
| 4776 | NTLM credential validation | TargetUserName, Workstation, Status |
|
||||
| 4771 | Kerberos pre-auth failed | TargetUserName, IpAddress, Status |
|
||||
|
||||
## Logon Types for RDP
|
||||
|
||||
| Type | Name | Context |
|
||||
|------|------|---------|
|
||||
| 3 | Network | RDP with NLA enabled (pre-auth) |
|
||||
| 10 | RemoteInteractive | RDP session after NLA |
|
||||
|
||||
## Failure Sub-Status Codes
|
||||
|
||||
| Sub-Status | Meaning |
|
||||
|------------|---------|
|
||||
| 0xC0000064 | User does not exist |
|
||||
| 0xC000006A | Wrong password |
|
||||
| 0xC0000234 | Account locked out |
|
||||
| 0xC0000072 | Account disabled |
|
||||
| 0xC0000193 | Account expired |
|
||||
| 0xC0000071 | Password expired |
|
||||
|
||||
## python-evtx Library Usage
|
||||
|
||||
```python
|
||||
import Evtx.Evtx as evtx
|
||||
|
||||
with evtx.Evtx("Security.evtx") as log:
|
||||
for record in log.records():
|
||||
xml_str = record.xml()
|
||||
```
|
||||
|
||||
Install: `pip install python-evtx lxml`
|
||||
|
||||
## wevtutil Export Commands
|
||||
|
||||
```bash
|
||||
# Export Security log to EVTX
|
||||
wevtutil epl Security C:\logs\security.evtx
|
||||
|
||||
# Query failed RDP logons
|
||||
wevtutil qe Security /q:"*[System[(EventID=4625)] and EventData[Data[@Name='LogonType']='10']]" /f:text
|
||||
|
||||
# Count recent failed logons
|
||||
wevtutil qe Security /q:"*[System[(EventID=4625)]]" /c:100 /rd:true /f:text
|
||||
```
|
||||
|
||||
## Detection Thresholds
|
||||
|
||||
| Pattern | Threshold | Indicator |
|
||||
|---------|-----------|-----------|
|
||||
| Brute force | >10 failures/IP in 15 min | Single-target credential guessing |
|
||||
| Password spray | >5 unique users/IP | Multi-user single-password attack |
|
||||
| Compromise | 4625 followed by 4624 from same IP | Successful brute force |
|
||||
|
||||
## References
|
||||
|
||||
- Microsoft Event 4625: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
|
||||
- Microsoft Event 4624: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
|
||||
- python-evtx: https://github.com/williballenthin/python-evtx
|
||||
- LogonTracer: https://github.com/JPCERTCC/LogonTracer
|
||||
Reference in New Issue
Block a user