Listen to this Post
Introduction:
In the ever-evolving landscape of cybersecurity, the Secure Shell (SSH) protocol remains a primary target for external threat actors seeking unauthorized access to systems. A brute-force attack, where an attacker attempts numerous username and password combinations, is one of the most common yet critical threats faced by Security Operations Centers (SOCs). This article breaks down a practical lab exercise involving a simulated SSH brute-force attack from a Kali Linux machine against a Windows 11 host, focusing on the detection and analysis phase—a core competency for any blue team professional.
Learning Objectives:
- Understand the mechanics of an SSH brute-force attack and its indicators of compromise (IoCs) on a Windows host.
- Learn how to manually analyze Windows Security Logs to identify failed logon attempts (Event ID 4625).
- Gain proficiency in using PowerShell to filter and correlate security events for threat hunting.
- Explore the next steps in a detection workflow, including automation and integration with a SIEM solution.
You Should Know:
- Lab Setup: Configuring the Attack and Target Environment
To replicate this scenario, you need a controlled lab environment. The attacker machine is Kali Linux, while the target is a Windows 11 machine with the OpenSSH Server feature enabled. This setup simulates a realistic network where an administrator might use SSH for remote management, creating an attack surface.
Step‑by‑step guide on the Windows 11 target:
- Install OpenSSH Server: Go to
Settings > Apps > Optional Features. Click “Add a feature” and install “OpenSSH Server”. - Start the SSH Service: Open PowerShell as an Administrator and run the following commands to start and configure the SSH service:
Start the SSH Server service immediately Start-Service sshd Set the service to start automatically on boot Set-Service -Name sshd -StartupType 'Automatic' Verify the service is running Get-Service sshd
- Ensure Firewall Rule Exists: The installer usually creates a firewall rule. Verify it with:
New-NetFirewallRule -DisplayName 'OpenSSH Server (sshd)' -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow
Step‑by‑step guide on the Kali Linux attacker:
- Identify Target IP: On Windows 11, run `ipconfig` to find its local IP address (e.g., 192.168.1.100).
- Simulate the Attack: Use a tool like `Hydra` or `Medusa` to perform the brute force. A simple `hydra` command attempts passwords from a list:
Syntax: hydra -l [bash] -P [password_list.txt] ssh://[bash] hydra -l administrator -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
Note: This will generate numerous failed attempts, which is exactly what we want to detect.
2. Detection Through Windows Event Log Analysis
After running the attack simulation, the SOC analyst’s job begins on the Windows 11 target. Windows records every authentication attempt. The primary indicator of a brute-force attack is a high volume of Event ID 4625, which signifies a failed logon.
Step‑by‑step guide to manual log analysis:
- Open Event Viewer: Press
Win + R, typeeventvwr.msc, and press Enter. - Navigate to Security Logs: Go to
Windows Logs > Security. - Filter for Failed Logons: On the right-hand panel, click “Filter Current Log…”. In the dialog, enter `4625` in the “
” field and click OK. - Analyze Event Details: Double-click any Event ID 4625. Key fields to examine include:
– Account Name: The username being targeted.
– Workstation Name: The source machine name (may show the Kali hostname).
– Source Network Address: The IP address of the attacker (e.g., 192.168.1.150).
– Process Name: May show C:\Windows\System32\sshd.exe, confirming the attack vector is SSH.
3. Threat Hunting with PowerShell for Rapid Correlation
Manually clicking through Event Viewer is inefficient for analyzing hundreds of failed events. PowerShell allows an analyst to query the security log programmatically, count failed attempts, and identify the source of the attack in seconds.
Step‑by‑step guide using PowerShell:
1. Open PowerShell as Administrator.
2. Query for Failed Logons (4625):
Get all failed logon events from the last day
$FailedLogons = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=(Get-Date).AddDays(-1)}
3. Correlate and Group by Source IP:
Extract the source IP from the event message and group the results
$FailedLogons | ForEach-Object {
$event = $_
if ($event.Message -match 'Source Network Address:\s+(\d+.\d+.\d+.\d+)') {
[bash]@{
Time = $event.TimeCreated
SourceIP = $matches[bash]
TargetUser = if ($event.Message -match 'Account Name:\s+(\S+)') { $matches[bash] } else { "N/A" }
}
}
} | Group-Object SourceIP | Select-Object Name, Count | Sort-Object Count -Descending
Expected Output: This script will output a list of IP addresses and how many failed attempts originated from each. An IP with a count in the hundreds is a clear indicator of a brute-force attack.
4. Blocking the Attacker with Windows Firewall (Containment)
Once the attacker’s IP is identified, a rapid containment step is crucial. While a full SOC would likely automate this, a manual containment strategy involves blocking the offending IP at the network level using the Windows Firewall.
Step‑by‑step guide to block a malicious IP:
- Identify the Attacker IP: Use the results from the PowerShell hunting step above (e.g., 192.168.1.150).
- Create a Firewall Rule to Block the IP:
New-NetFirewallRule -DisplayName "Block SSH Attacker IP 192.168.1.150" -Direction Inbound -Protocol TCP -LocalPort Any -RemotePort Any -RemoteAddress 192.168.1.150 -Action Block
3. Verify the Rule:
Get-NetFirewallRule -DisplayName "Block SSH Attacker IP 192.168.1.150" | Get-NetFirewallAddressFilter | Select-Object RemoteAddress
Note: In a real-world scenario, this rule would immediately sever the network connection from that specific IP, preventing further logon attempts while the investigation continues.
5. Automating Detection with a SIEM (Splunk/Wazuh)
As noted in the project post, the next step is automation. Manually running PowerShell scripts is effective for threat hunting, but a SIEM provides continuous, real-time alerting. Assuming logs are forwarded to a SIEM like Splunk, a detection rule can be created.
Conceptual Step‑by‑step guide (Splunk Search):
1. Search for Failed Logins:
index=windows EventCode=4625
2. Correlate by Source IP:
index=windows EventCode=4625 | stats count by src_ip, TargetUserName | where count > 10
3. Trigger Alert: Configure an alert to trigger when `count` exceeds a certain threshold (e.g., 50 attempts in 5 minutes) from a single source IP. This creates a ticket for the SOC team to investigate and potentially automate a block via a playbook.
6. Hardening SSH Against Brute Force Attacks
Beyond detection, proactive defense is key. Configuring the OpenSSH server on Windows can significantly reduce the attack surface.
Step‑by‑step guide to SSH Hardening:
- Locate the `sshd_config` file: Typically found in
C:\ProgramData\ssh\sshd_config. - Edit the file as Administrator (use Notepad or VS Code).
3. Implement Key Security Changes:
- Disable Root Login: Ensure `PermitRootLogin` is set to `no` (or
prohibit-password). - Disable Password Authentication (if possible): Change `PasswordAuthentication` to `no` and rely on SSH keys. This completely nullifies brute-force attacks.
- Change Default Port: While not a security control, changing from port 22 to a non-standard port reduces automated bot scanning. Uncomment and change the `Port` directive.
- Limit Users: Specify which users can log in via SSH.
4. Restart the SSH Service:
Restart-Service sshd
What Undercode Say:
- Logs are the First Line of Defense: This project reinforces that security logs (Event ID 4625) are not just compliance checkboxes. They are the raw data of an attack. The ability to manually parse and correlate these logs is a fundamental skill that separates a script-kiddie from a competent SOC analyst.
- Automation is Inevitable, but Understanding is Crucial: While moving this detection to a SIEM like Splunk or Wazuh is the logical next step, understanding the underlying data—what a failed logon looks like, how to count it, and how to block it manually—is essential for building accurate and effective automated rules. You cannot automate what you do not understand.
Prediction:
As SSH continues to be a staple for remote administration, brute-force attacks will remain a persistent threat, but their nature will evolve. We will see a significant shift from volume-based attacks to “low-and-slow” attacks designed to evade SIEM thresholds. Furthermore, the integration of AI-driven threat intelligence will enable next-gen firewalls and endpoint detection and response (EDR) tools to preemptively block brute-force sources based on global reputation scores, rather than just local event counts. The future of defense lies in predictive, automated interdiction that occurs before the first failed password attempt.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sepehr Naji – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
