Intro
Blue team challenges were comparatively easier than the other days as most of it included analyzing log files, pcap files and firewall configurations. One of the interesting challenges was:
Detecting a Brute-Force Attack from Windows Logs
- We started by looking at the Windows Event Logs. Specifically, we focused on the Security and System logs since they record information about login attempts and network connections. To open these logs, we used the built-in Event Viewer on Windows.
- The logs contain thousands of entries, making it hard to spot suspicious activity at first glance. We applied filters to look for events that indicated failed login attempts.
- In Windows, these typically show up as events with certain IDs (for example,
Event ID 4625for failed logins). - Once we isolated failed login attempts, we noticed a pattern, a single IP address showing up repeatedly, trying to log in to the system within the same timeframe. Normal users don’t fail logins so many times in a row, especially not that quickly.
- Within the event details, we found fields that listed the source IP address. This is the address from which the attack attempts were made.
- By examining related firewall logs or the event’s network information, we also identified the port that was being targeted,
3389 Remote Desktop Protocol (RDP) - We counted how many failed login events came from the same IP within a certain time frame. The logs clearly showed many coming in the same second.
- Then we got the flag after we gave the right answer to the question, State the number of login attempts made using brute forcing?
- We learned how to use event viewer to find the right logs to analyze and how to read and extract data from log files.