An attacker conducted an RDP brute force from 149.102.244.101 against host Maxton (172.16.17.95), achieving a successful login at 06:35 AM on the letsdefend account. The account is a confirmed local Administrator — the BUILTIN\Administrators entry showing Group used for deny only in whoami /groups reflects the expected UAC split-token state of an admin account’s initial non-elevated shell, not a privilege limitation. The attacker simply launched a separate elevated PowerShell session to execute privileged operations, which is standard behaviour for any local admin over RDP.
Post-compromise activity followed a structured playbook across four phases:
Enumeration: whoami, whoami /groups, ping google.com
Persistence: Created local backdoor account test, added it to Administrators and Remote Desktop Users, reset the built-in Administrator password to Passw0rd!
Defense Evasion: Disabled Windows Defender real-time monitoring and script scanning via Set-MpPreference, disabled the firewall across all profiles via both legacy netsh firewall and netsh AdvFirewall, then navigated to C:\Sysmon\ and reinstalled Sysmon with a replacement config (sysmonconfig-export.xml). The config is 1,201 lines and appears legitimate — intent is uncertain between accidental misfire and deliberate removal of custom detections. MFT timestamp review is recommended to confirm whether the file was pre-staged or dropped during the intrusion.
Log Clearance: Cleared all Windows event logs via Clear-EventLog and wevtutil.exe, including Sysmon, PowerShell Operational, Analytic, and Debug channels. Machine subsequently contained.
| Timestamp (UTC) | Event |
|---|---|
| Jul 29, 2024, ~06:30 AM | RDP brute force begins from 149.102.244.101 |
| Jul 29, 2024, 06:35 AM | Successful RDP login as letsdefend |
| Jul 29, 2024, 06:40 AM | Alert triggered - event logs cleared via wevtutil.exe |
C:\Windows\system32\wevtutil.exeC:\Sysmon\sysmonconfig-export.xml149.102.244.101 — confirmed malicious, brute force reportsletsdefend — confirmed local Administratortest — created post-compromise, added to Administrators and Remote Desktop UsersConfirmed true positive. The attacker ran a password spray against RDP and succeeded on letsdefend, a confirmed local Administrator account. No UAC bypass was required — the attacker used legitimate admin rights to launch an elevated PowerShell session directly. Persistence was layered across backdoor account creation, group membership escalation, and Administrator credential modification. The defense evasion phase was systematic — Defender killed, firewall dropped, Sysmon config replaced, then full log clearance to destroy forensic evidence. The Sysmon reinstall was initially assessed as lab setup scaffolding — a key reminder to apply MFT timestamp analysis to all artefacts within an intrusion window regardless of appearance.
| Technique ID | Tactic | Technique |
|---|---|---|
| T1110.001 | Credential Access | Brute Force - Password Guessing |
| T1021.001 | Lateral Movement | Remote Services - Remote Desktop Protocol |
| T1059.001 | Execution | Command and Scripting Interpreter - PowerShell |
| T1078.001 | Defense Evasion | Valid Accounts - Local Accounts |
| T1136.001 | Persistence | Create Account - Local Account |
| T1098 | Persistence | Account Manipulation |
| T1069.001 | Discovery | Permission Groups Discovery - Local Groups |
| T1562.001 | Defense Evasion | Impair Defenses - Disable or Modify Tools |
| T1562.004 | Defense Evasion | Impair Defenses - Disable or Modify System Firewall |
| T1562.006 | Defense Evasion | Impair Defenses - Indicator Blocking |
| T1070.001 | Defense Evasion | Indicator Removal - Clear Windows Event Logs |
|Type|Value|Notes| |—|—|—| |IP|149.102.244.101|Attacker - confirmed malicious, brute force| |IP|172.16.17.95|Victim host (Maxton)| |Account|letsdefend|Compromised via RDP brute force - local Administrator| |Account|test|Backdoor local user created post-compromise| |Credential|Passw0rd!|Administrator password set by attacker| |Binary|wevtutil.exe|Used to clear Sysmon and PowerShell logs| |File|C:\Sysmon\sysmonconfig-export.xml|Replacement Sysmon config - MFT timestamp review required| 🔬 Analysis Reports https://www.abuseipdb.com/check/149.102.244.101?page=2