Detecting brute force on Windows hosts

[PentesterD]

Hello,

I am new to Wazuh. Trying to follow this guide for a demo:

https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html

This works as expected for SSH brute force on a Linux host. But there is nothing triggering when I try to brute force using RDP on a Windows host.

All I have done is installed the Wazuh agent on both Windows and Linux hosts.And I can see that both are reporting back to the Wazuh manager.

Is there any additional configuration that I need to do to see the brute force attempts on the Windows host? It works out of the box for the Linux host.

Thanks

[Pacome Kemkeu]

Hello,

For the Windows use case, it’s required to enable RDP on the victim endpoint before running the attack.
You can use the following resource to enable it if you didn't.

If you are using a Windows version other than Windows 11 or 10, in order to track user logon activities, you'll need to enable windows 7 audit logon events.
Kindly follow this link to perform this in that case.

After that, restart the wazuh agent and perform the brute force attack. The alerts should appear on your dashboard.

I hope this helps you!

[PentesterD]

Enabling Windows 7 logon events was the key. I am able to see those events now. I have a follow up question. Just like we have the rule 5712 - "SSHD brute force trying to get access to the system", don't we have anything that catches RDP brute force?

[Pacome Kemkeu]

Hello PentesterD,
Can you please submit a full log at that event? I'll help you write a custom rule to flag it.

[PentesterD]

I was able to write the rule. Thanks.

[Darwin]

Can you write the rule please. I'm still a rookie