Adding the required fields
Tengku Arya Saputra
Hello team,
I am having an issue where someone is attempting to brute force my network. I would like to know which ports they are attacking, as the data in the event below does not include which ports are being attacked, only the source port.
I will provide you with the json file for analysis. I would like to know which ports are being attacked.
I have provided the complete rules. If there are any errors in the detection, please correct them and provide me with feedback regarding the purpose of the port being attacked.
<group name="windows,windows_security,authentication_failures,">
<rule id="65224" level="12" frequency="5" timeframe="120">
<if_matched_sid>60122</if_matched_sid>
<!-- SMB-specific indicators -->
<field name="win.eventdata.logonType">3</field>
<field name="win.eventdata.logonProcessName">NtLmSsp</field>
<field name="win.eventdata.authenticationPackageName">NTLM</field>
<!-- Same attacker -->
<same_field>win.eventdata.ipAddress</same_field>
<description>SMB Bruteforce Terdeteksi (NTLM Network Logon)</description>
<mitre>
<id>T1110</id>
</mitre>
<group>
windows,
smb,
bruteforce,
credential_access
</group>
</rule>
<rule id="60234" level="13" frequency="5" timeframe="120">
<if_matched_sid>60122</if_matched_sid>
<!-- RDP specific -->
<field name="win.eventdata.logonType">10</field>
<field name="win.eventdata.logonProcessName">User32</field>
<!-- Same attacker -->
<same_field>win.eventdata.ipAddress</same_field>
<description>RDP Bruteforce Terdeteksi (Remote Desktop Logon)</description>
<mitre>
<id>T1110</id>
</mitre>
<group>
windows,
rdp,
bruteforce,
credential_access
</group>
</rule>
<rule id="60235" level="12" frequency="5" timeframe="120">
<if_matched_sid>60122</if_matched_sid>
<!-- RDP via NLA -->
<field name="win.eventdata.logonType">3</field>
<field name="win.eventdata.logonProcessName">Advapi</field>
<field name="win.eventdata.authenticationPackageName">
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
</field>
<!-- Same attacker -->
<same_field>win.eventdata.targetUserName</same_field>
<description>
RDP Bruteforce via NLA / auth-only (pre-session authentication)
</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="100700" level="7">
<if_sid>18106</if_sid> <!-- Windows Logon Failure -->
<field name="win.eventdata.logonType">3</field>
<field name="win.eventdata.authenticationPackageName">
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
</field>
<description>RDP Authentication Failure (Pre-Auth)</description>
<group>windows,rdp,authentication_failed</group>
</rule>
<rule id="100701" level="12" frequency="5" timeframe="60">
<if_matched_sid>100700</if_matched_sid>
<same_field>win.eventdata.targetUserName</same_field>
<description>RDP Bruteforce Detected (Multiple Failures - Same User)</description>
<mitre>
<id>T1110</id>
</mitre>
<group>rdp,bruteforce,attack</group>
</rule>
<rule id="100702" level="14" frequency="5" timeframe="60">
<if_matched_sid>100700</if_matched_sid>
<same_field>win.eventdata.workstationName</same_field>
<description>RDP Password Spray Detected (Multiple Users)</description>
<mitre>
<id>T1110</id>
</mitre>
<group>rdp,password_spray,attack</group>
</rule>
</group>
Regards
Bony V John
Tengku Arya Saputra
Bony V John
Hi,
Your custom rules look good. Regarding port identification, Windows Event ID 4625 mainly relates to login activity on the Windows system. Because of this, it usually records details such as logon type, username, and source IP, but it does not normally record the destination port.
You can refer to this discussion for reference as well: event-4625 without ip and port - Microsoft Q&A
The events forwarded from Windows do not contain destination port details, so in Wazuh alerts we cannot display that information.
From your log, it shows this is an NTLM authentication, which commonly uses port 1433, but we cannot be certain that this is the port in your environment. To get accurate port details, you need to use Windows Firewall logs, such as the pfirewall.log file. Windows Firewall logs network activity and includes destination port information.
Steps to enable Windows Firewall logging:
-
Press Windows + R, type wf.msc, and press Enter to open Windows Defender Firewall with Advanced Security.
-
In the left pane, select Windows Defender Firewall with Advanced Security on Local Computer.
-
Right-click and select Properties.
-
In each profile tab (Domain, Private, Public):
-
Click Customize under Logging.
-
Set the following:
-
Log dropped packets: Yes
-
Log successful connections: Yes (optional; for allowed traffic)
-
Log file path: C:\Windows\System32\LogFiles\Firewall\pfirewall.log
-
Log file size: Increase (for example, 16384 KB = 16 MB)
-
-
Click OK to apply the settings.
-
After enabling this, you can find the log file at: C:\Windows\System32\LogFiles\Firewall\pfirewall.log
You can use this log file to identify which ports are being accessed from a specific IP address.
You can also configure Wazuh to monitor this log file and forward it to the Wazuh Manager for analysis and alert generation.
Bony V John
Apologies for the late response. For monitoring network-level attacks, you can consider monitoring network devices such as firewalls and switches using Wazuh. You can forward logs from these network devices to the Wazuh manager via syslog if the devices support syslog forwarding. Once the logs are received, Wazuh can analyze them and trigger alerts based on the events. You can refer to the Wazuh syslog configuration documentation for details on configuring the Wazuh manager to listen for syslog logs.
Another option is to use Suricata for monitoring network activity on the endpoint. Suricata monitors endpoint network traffic based on its detection rules, and when abnormal activity is detected, it writes logs to a log file. Using the Wazuh agent, you can monitor this log file and forward it to the Wazuh manager for analysis.
You can refer to the Wazuh documentation for integrating Wazuh with Suricata for network monitoring.
Refer: https://medium.com/@tabla.109/integrating-suricata-with-wazuh-in-windows-server-2025-843303dc9c67