Skip to main content
Liam Smydo
  1. Projects/

Assumed Breach SOC Lab: Internal RDP Brute Force, Active Directory Recon, and Wazuh Detection

·667 words·4 mins
Liam Smydo
Author
Liam Smydo
Hi, I’m Liam. This site contains my various cybersecurity projects, CTF write-ups, and labs, including detailed technical write-ups and different resources I find useful.
Table of Contents

Modern SOC teams operate under one core principle: Assume Breach.

To reflect on this reality, I built a realistic enterprise-style detection lab. This week I focused on one of the most common internal attack paths seen today:

RDP password brute forcing followed by Active Directory reconnaissance.

I created a local isolated environment in my Proxmox homelab, collected telemetry with Wazuh + Sysmon, and walked through both the attacker workflow and the SOC analyst investigation path

1. Lab Environment & Architecture
#

My isolated enterprise-style lab contains:

  • Windows Server 2022 — Domain Controller (Lab.local)
  • Windows 11 Client 01 — domain-joined
  • Windows 11 Client 02 — domain-joined
  • Wazuh Server — SIEM, rules engine, and log analysis
  • Kali Linux Attack Box — offensive tooling

Lab Topology

Wazuh agents were deployed to all Windows hosts, collecting:

  • Windows Security Events
  • Rich Sysmon telemetry
  • Authentication attempts
  • Process creation and activity

2. Scenario: Assumed Breach → Internal Lateral Movement via RDP
#

To keep the focus internal, we assume the attacker already controls an internal endpoint and has uncovered a domain user named “target”.

This scenario mirrors real incidents involving initial footholds like:

  • compromised contractor laptops
  • unmanaged BYOD devices
  • post-phishing lateral movement

The attacker’s objective:

obtain valid domain credentials and move laterally to a Windows workstation using RDP.

3. RDP Password Brute Force (Hydra)
#

From the Kali machine, I launched an RDP brute-force attack against the user “target” of CLIENT02 using Hydra:

hydra -l target -P wordlist.txt rdp://10.10.10.10

This generated real attacker telemetry including:

  • multiple failed logons (Event ID 4625)
  • a single successful RDP login (Event ID 4624)
  • Sysmon network connections to port 3389 (Event ID 3)

Hydra brute force of RDP successful

4. SOC Visibility & Wazuh Detection
#

As soon as the brute force began, Wazuh generated correlated alerts.

Key Windows Security Events:

  • 4625 — Failed RDP Authentication attempts

wazuh dashboard showing 28 failed login attempts captured

  • 4624 — Successful RDP Authentication

wazuh dashboard showing successful authentication event captured

Sysmon Events:

  • 3 — RDP connection attempts (TCP 3389)

Wazuh Rules Triggered:

  • rules level 5, 6, and 10

wazuh rule classification from documentation

  • Excessive failed logon attempts
  • Possible brute-force correlation
  • When multiple failed authentication events occur within a defined time window, correlation rules with higher severity are triggered.

wazuh dashboard showing rules 5, 6, and 10 alerted

5. Post-Compromise Active Directory Recon
#

After successfully authenticating via RDP, I initiated early-stage domain enumeration mimicking what an attacker would do after moving laterally:

whoami
whoami /groups
whoami /priv
net user
nltest /dclist:lab.local

This type of recon helps an attacker understand:

  • domain structure
  • user/group membership
  • possible escalation paths
  • critical administrative targets

Wazuh captured:

  • powershell process creation of net.exe
  • user it was executed from
  • exact commands attackers used
  • possible malicious command alerted by rule.MITRE.technique: Account Discovery
  • Sysmon telemetry tied to the attacker session

wazuh dashboard capturing account discovery technique alert from net command

6. Analyst Investigation: Correlating the Attack Chain
#

I investigated the attack from a SOC perspective, correlating telemetry chronologically:

  1. Spike of Event ID 4625 (failed RDP logons setting off rule 10)
  2. A sudden successful 4624 interactive RDP login
  3. Logon Type 10 (remote interactive)
  4. New processes spawning under the compromised user from Active Directory reconnaissance commands
  5. Persistent RDP session activity

wazuh dashboard showing alerts generated for EVENT.ID 1, 4624 and 4625

7. Lab Takeaways
#

  • Visibility is everything. Internal attacks like RDP brute force often bypass perimeter defences, so host-level telemetry (Windows Events + Sysmon) is essential for seeing what actually happens inside the host. Sysmon enables rich telemetry that gives our soc much more visibility.
  • SOC teams rely on correlated signals, not isolated events. When Wazuh ties together 4625 failures, a successful 4624, and Sysmon network activity, the full story of lateral movement becomes clear.
  • Internal recon is easily detectable with the right logs. Enumeration commands leave reliable, high-value artifacts that help analysts confirm malicious behavior quickly.
  • Effective SOC detection comes from tuning, not tools alone. Well-configured rules turn raw logs into actionable, high-confidence alerts.
  • We cannot protect what we cannot see