{"id":4498,"date":"2022-03-23T22:18:47","date_gmt":"2022-03-23T20:18:47","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=4498"},"modified":"2023-07-27T23:19:29","modified_gmt":"2023-07-27T21:19:29","slug":"rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/","title":{"rendered":"What happens without RDP protection after 24+ hours in Microsoft Sentinel &#038; Microsoft security products"},"content":{"rendered":"\n<p>For many years, abuse of <strong>Remote Desktop Protection (RDP)<\/strong> has been the most common root cause of all ransomware events. At the moment one of the most common attacks against VMs in Azure\/ AWS or other clouds is based on the RDP brute-force attack.<\/p>\n\n\n\n<p>Last year I <a href=\"https:\/\/jeffreyappel.nl\/monitor-rdp-brute-force-attack-with-azure-sentinel-azure-security-center\/\">published a blog<\/a> about monitoring RDP attacks. This blog is focussing on more in-depth information; what happens after 24+ hours of open RDP ports and what is visible in Defender &#8211; Sentinel &#8211; Defender for Cloud.<\/p>\n\n\n\n<p>T-Pot is added to this blog for some additional background information around honeypots and the most common malicious activity part of a new T-Pot instance including containers.<\/p>\n\n\n\n<p>In <strong>part 2<\/strong> of this blog, I\u2019ll talk about what happened when the machine was online with the username: <em>Administrator<\/em> and password: <em>123456<\/em> in Microsoft Defender for Endpoint. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">RDP attack most frequent attack?<\/h2>\n\n\n\n<p>Now you may think, securing RDP is a default measure &#8211; based on Shodan there are currently more than 4.46M RDP ports (3389) exposed to the public internet. Attackers use automated systems to scan frequently the internet for open ports which are available with only username and password protection.<\/p>\n\n\n\n<p>There is absolutely <strong>no reason <\/strong>to put RDP directly on the Internet. There are many solutions available (JIT, Bastion, and other protections which allow easy management). Seriously, don\u2019t open RDP directly to the public internet. It\u2019s only a matter of time before a system is compromised. <\/p>\n\n\n\n<p>It\u2019s extremely easy to find RDP systems online. Scanning for RDP\u2019s default port (TCP\/3389) is easy, but Shodan has already done it for you.<\/p>\n\n\n\n<p>Shodan is a search engine for internet-of-things devices across the internet. Shodan can identify devices on the internet based on several characteristics. Shodan works by crawling the internet based on a full protocol-specific handshake to determine whether a port is open or closed. In case of open RDP ports Shodan takes a screenshot of the discovered open RDP ports.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"302\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_21-44-38-1024x302.png\" alt=\"\" class=\"wp-image-4500\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_21-44-38-1024x302.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_21-44-38-300x89.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_21-44-38-768x227.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_21-44-38-1536x454.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_21-44-38-2048x605.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_21-44-38-585x173.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Shodan search based on<strong> port:3389<\/strong> will returns all hits discovered by Shodan. Currently, there are a total of<strong> 4.467.430<\/strong> exposed RDP ports (including honeypots) and counting each day.<\/p>\n\n\n\n<p><strong>Top 10 &#8211; country<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"538\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/facet-1024x538.png\" alt=\"\" class=\"wp-image-4499\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/facet-1024x538.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/facet-300x158.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/facet-768x403.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/facet-585x307.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/facet.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Shodan.io<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Monitoring RDP attacks<\/h2>\n\n\n\n<p>This blog post will show you how to use Microsoft Sentinel for detecting brute force attacks based on RDP targeting cloud VMs in Azure, Amazon, or other clouds.<\/p>\n\n\n\n<p>The following is part of the blog:<\/p>\n\n\n\n<ul>\n<li>Collect Security Events using the new Azure Monitoring Agent (AMA)<\/li>\n\n\n\n<li>Hunting for malicious activity using Microsoft Sentinel<\/li>\n\n\n\n<li>Build-in Analytics rules<\/li>\n\n\n\n<li>Fusion detection<\/li>\n<\/ul>\n\n\n\n<p>++ Bonus content<\/p>\n\n\n\n<ul>\n<li>Using T-Pot for honeyPot insights<\/li>\n\n\n\n<li>T-Pot analyze<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Install AMA agent &#8211; Collect events<\/h2>\n\n\n\n<p>The Azure Monitoring Agent (AMA) is re-written from the ground and the replacement for the Microsoft Monitoring Agent used by Log Analytics. The Azure Monitor agent uses data collection rules (DCR) to configure data to collect from each agent. Data collection rules enable the manageability of collection settings at scale for different groups of environments or machines, which results in less cost and fewer events.<\/p>\n\n\n\n<p>View the following blog for all information related to AMA, DCA, and the new agent: <em><a href=\"https:\/\/jeffreyappel.nl\/collect-security-events-in-sentinel-with-the-new-ama-agent-and-dcr\/\">Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR<\/a> &nbsp;<\/em>Below part is a small summary of the details which are explained before.<\/p>\n\n\n\n<p>Multiple options are available for installing the Azure Monitoring Agent, in this blog post the installation based on Microsoft Sentinel is explained. For more detailed standalone install instructions check the following source:&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/agents\/azure-monitor-agent-manage?tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc\">Manage the Azure Monitor agent | Microsoft Docs<\/a><\/p>\n\n\n\n<p>For Azure cloud machines, no extra Azure Arc configuration is required. For enabling the new connector, take the following steps:<\/p>\n\n\n\n<ol>\n<li>Open&nbsp;<strong>Microsoft Sentinel<\/strong><\/li>\n\n\n\n<li>In the menu select&nbsp;<strong>Data connectors (1)<\/strong><\/li>\n\n\n\n<li>Select the<strong>&nbsp;Windows Security event via AMA connector<\/strong>&nbsp;<strong>(2)<\/strong>&nbsp;<\/li>\n\n\n\n<li>Open the&nbsp;<strong>connector page<\/strong>&nbsp;<strong>(3)<\/strong><\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" width=\"1024\" height=\"579\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_21-58-43-1024x579.png\" alt=\"\" class=\"wp-image-4368\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_21-58-43-1024x579.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_21-58-43-300x170.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_21-58-43-768x434.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_21-58-43-1536x868.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_21-58-43-2048x1157.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_21-58-43-585x331.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now from the connector page configure the new data sources. Make sure you have read and write permissions. For collecting security events from Windows agents and installing the AMA agent. Start with creating a new data collection rule (DCR). For creating the new rule click the button&nbsp;<strong>Create data collection rule<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"563\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-08-54-1024x563.png\" alt=\"\" class=\"wp-image-4371\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-08-54-1024x563.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-08-54-300x165.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-08-54-768x422.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-08-54-1536x844.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-08-54-585x321.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-08-54.png 1833w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The Data Collection Rule is the location where the data should be sent. In this blog, we use the Microsoft Sentinel Log Analytics workspace.<\/p>\n\n\n\n<p>Fill in the following values:<\/p>\n\n\n\n<ul>\n<li>Rule name: Name for specific Data Collection Rule<\/li>\n\n\n\n<li>Subscription: Select the subscription<\/li>\n\n\n\n<li>Resource Group: Select resource group ( Data Collection rule is Azure Resource.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"302\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-11-27-1-1024x302.png\" alt=\"\" class=\"wp-image-4373\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-11-27-1-1024x302.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-11-27-1-300x88.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-11-27-1-768x227.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-11-27-1-585x173.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-11-27-1.png 1251w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now&nbsp;<strong>select the devices<\/strong>&nbsp;or&nbsp;<strong>Resource groups\/ subscriptions<\/strong>&nbsp;and press&nbsp;<strong>Apply.&nbsp;<\/strong>After enabling the installation will be automatically installed on these machines. Selection for single virtual machines is possible or complete resource groups\/ subscriptions:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"390\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_23-41-08-1024x390.png\" alt=\"\" class=\"wp-image-4501\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_23-41-08-1024x390.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_23-41-08-300x114.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_23-41-08-768x292.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_23-41-08-585x223.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-16_23-41-08.png 1269w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Review the selected resources and go to the tab;&nbsp;<strong>collect<\/strong>.<\/p>\n\n\n\n<p>For collecting events select one of the event groups: <strong>All Security Events, Common, Minimal, Custom<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-31-33-e1645226989876.png\" alt=\"\" class=\"wp-image-4378\" width=\"531\" height=\"128\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-31-33-e1645226989876.png 797w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-31-33-e1645226989876-300x73.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-31-33-e1645226989876-768x187.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/02\/2022-02-17_22-31-33-e1645226989876-585x142.png 585w\" sizes=\"(max-width: 531px) 100vw, 531px\" \/><\/figure>\n\n\n\n<ul>\n<li><strong>All events<\/strong>&nbsp;\u2013 All Windows security and AppLocker events.<\/li>\n\n\n\n<li><strong>Common<\/strong>&nbsp;\u2013 A standard set of events for auditing purposes. The Common event set may contain some types of events that aren\u2019t so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability.<\/li>\n\n\n\n<li><strong>Minimal<\/strong>&nbsp;\u2013 A small set of events that might indicate potential threats. This set does not contain a full audit trail. It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence.<\/li>\n\n\n\n<li><strong>Custom<\/strong> \u2013 defining custom queries using Xpath. <a href=\"https:\/\/jeffreyappel.nl\/collect-security-events-in-sentinel-with-the-new-ama-agent-and-dcr\/\">See this blog for the explanation<\/a><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Event set<\/strong><\/td><td><strong>Collected event IDs<\/strong><\/td><\/tr><tr><td>Minimal<\/td><td>1102, 4624, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737, 4739, 4740, 4754, 4755, 4756, 4767, 4799, 4825, 4946, 4948, 4956, 5024, 5033, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222<\/td><\/tr><tr><td>Common<\/td><td>1, 299, 300, 324, 340, 403, 404, 410, 411, 412, 413, 431, 500, 501, 1100, 1102, 1107, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4634, 4647, 4648, 4649, 4657, 4661, 4662, 4663, 4665, 4666, 4667, 4688, 4670, 4672, 4673, 4674, 4675, 4689, 4697, 4700, 4702, 4704, 4705, 4716, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4733, 4732, 4735, 4737, 4738, 4739, 4740, 4742, 4744, 4745, 4746, 4750, 4751, 4752, 4754, 4755, 4756, 4757, 4760, 4761, 4762, 4764, 4767, 4768, 4771, 4774, 4778, 4779, 4781, 4793, 4797, 4798, 4799, 4800, 4801, 4802, 4803, 4825, 4826, 4870, 4886, 4887, 4888, 4893, 4898, 4902, 4904, 4905, 4907, 4931, 4932, 4933, 4946, 4948, 4956, 4985, 5024, 5033, 5059, 5136, 5137, 5140, 5145, 5632, 6144, 6145, 6272, 6273, 6278, 6416, 6423, 6424, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222, 26401, 30004<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">RDP Brute-Force Quick Stats<\/h2>\n\n\n\n<p>Now it\u2019s time to show the results. If you don\u2019t know RDP brute force attacking is heavily used, you know it after this blog post. First some quick stats to deep-dive into more Sentinel queries and Sentinel events.<\/p>\n\n\n\n<p>Data is based on 3 default Azure VMs including <span style=\"text-decoration: underline;\">complex admin passwords<\/span>.<\/p>\n\n\n\n<p><strong>The honeypot was online for 3 days which generates the below events in Sentinel: <\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Event<\/strong><\/th><th>Event count<\/th><\/tr><\/thead><tbody><tr><td>Total logon attempts (eventID 4625)<\/td><td>89,285<\/td><\/tr><tr><td>Total logon attempts username &#8220;administrator&#8221;<\/td><td>62,260<\/td><\/tr><tr><td>Total logon attempts including the word &#8220;admin&#8221;<\/td><td>74,520<\/td><\/tr><tr><td>Unique user accounts (eventID 4625)<\/td><td>1993<\/td><\/tr><tr><td>Unique IP&#8217;s (eventID 4625)<\/td><td>132<\/td><\/tr><tr><td>Successful authentications<\/td><td>0 (complex password and non-default username)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>The honeypot was online for 7 days which generates the below events in Sentinel: <\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event<\/th><th>Event count<\/th><\/tr><\/thead><tbody><tr><td>Total logon attempts (eventID 4625)<\/td><td>209,335<\/td><\/tr><tr><td>Total logon attempts username &#8220;administrator&#8221;<\/td><td>172.000<\/td><\/tr><tr><td>Total logon attempts including the word &#8220;admin&#8221;<\/td><td>185.591<\/td><\/tr><tr><td>Successful authentications<\/td><td>0 (complex password and non-default username)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Top 20 user names:<\/strong> (3 days of data)<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Username<\/strong><\/th><th>Event count<\/th><\/tr><\/thead><tbody><tr><td>Administrator<\/td><td>29,791<\/td><\/tr><tr><td>{servername1{\\Administrator<\/td><td>13,589<\/td><\/tr><tr><td>{servername2{\\Administrator<\/td><td>11,769<\/td><\/tr><tr><td>{servername3{\\Administrator<\/td><td>4,290<\/td><\/tr><tr><td>Admin<\/td><td>1,471<\/td><\/tr><tr><td>ADMINISTRATOR<\/td><td>1,430<\/td><\/tr><tr><td>AZUREUSER<\/td><td>1,123<\/td><\/tr><tr><td>AZUREADMIN<\/td><td>997<\/td><\/tr><tr><td>VMADMIN<\/td><td>848<\/td><\/tr><tr><td>LOCALADMIN<\/td><td>837<\/td><\/tr><tr><td>SYSADMIN<\/td><td>825<\/td><\/tr><tr><td>TESTUSER<\/td><td>813<\/td><\/tr><tr><td>ADMINUSER<\/td><td>813<\/td><\/tr><tr><td>SERVERADMIN<\/td><td>811<\/td><\/tr><tr><td>ADADMIN<\/td><td>809<\/td><\/tr><tr><td>DEMOUSER<\/td><td>807<\/td><\/tr><tr><td>ADMINVM<\/td><td>806<\/td><\/tr><tr><td>ADMIN123<\/td><td>804<\/td><\/tr><tr><td>ADMINISTRATOR1<\/td><td>801<\/td><\/tr><tr><td>AZADMIN<\/td><td>799<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">RDP Brute-Force Quick Stats &#8211; Easy password<\/h2>\n\n\n\n<p>One of the machines is configured with a separate admin account. There were successful authentications to it. For the majority, attackers didn&#8217;t do anything on the machine. Since MDE and Defender for Cloud are enabled there was visibility into what the attacker did, and which alerts are generated from Defender for Endpoint.<\/p>\n\n\n\n<p>This is likely because the initial logons were part of a brute-force attack and they were only looking for systems for which credentials could be guessed.<\/p>\n\n\n\n<p>I will explain this part in a new blog soon, and explain the compromises detected by Defender for Endpoint, Sentinel, Defender for Cloud. Enough content for another part.<\/p>\n\n\n\n<p>It starts with;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-23_20-32-17.png\" alt=\"\" class=\"wp-image-4542\" width=\"566\" height=\"235\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-23_20-32-17.png 835w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-23_20-32-17-300x125.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-23_20-32-17-768x320.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-23_20-32-17-585x244.png 585w\" sizes=\"(max-width: 566px) 100vw, 566px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Sentinel Hunting<\/h2>\n\n\n\n<p>Based on all data we can use Microsoft Sentinel hunting for getting some more insights. The following events are part of the RDP Brute Force attempt and are useful for hunting:<\/p>\n\n\n\n<ul>\n<li>EventID 4625: Account Failed to Log on<\/li>\n\n\n\n<li>EventID 4624: An account was successfully logged on<\/li>\n<\/ul>\n\n\n\n<p>Failure reasons:<\/p>\n\n\n\n<ul>\n<li>%%2310: Account currently disabled. (531)<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>%%2313: Unknown user name or bad password. (529)<\/li>\n<\/ul>\n\n\n\n<p>EventID 4624\/ 4625 is located in the <strong>Security Event table<\/strong> of Log Analytics\/ Sentinel. The combination of both events makes it possible to deep-dive for succeeded sign-ins.<\/p>\n\n\n\n<p><strong>Summarize RDP attempt by 1 hour<\/strong> (data from last 7 days)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"388\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-38-18-1024x388.png\" alt=\"\" class=\"wp-image-4509\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-38-18-1024x388.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-38-18-300x114.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-38-18-768x291.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-38-18-1536x582.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-38-18-2048x776.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-38-18-585x222.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityEvent\n| where EventID == 4625\n| where AccountType == \"User\"\n| summarize &#91;'Total Brute Force Attemps']=count() by bin(TimeGenerated, 1h)\n| render timechart <\/code><\/pre>\n\n\n\n<p><strong>Summarize usernames<\/strong> (data from last 7 days)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"335\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-50-29-1024x335.png\" alt=\"\" class=\"wp-image-4510\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-50-29-1024x335.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-50-29-300x98.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-50-29-768x251.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-50-29-1536x503.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-50-29-2048x670.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-21_23-50-29-585x191.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityEvent\n| where EventID == \"4625\"\n| where AccountType == \"User\"\n| summarize count=count() by Account\n| render piechart<\/code><\/pre>\n\n\n\n<p><strong>Summarize IPaddress<\/strong> (data from last 7 days)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"498\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-46-34-1024x498.png\" alt=\"\" class=\"wp-image-4519\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-46-34-1024x498.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-46-34-300x146.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-46-34-768x373.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-46-34-1536x746.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-46-34-2048x995.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-46-34-585x284.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityEvent\n| where EventID == \"4625\"\n| where AccountType == \"User\"\n| summarize count=count() by IpAddress\n| render piechart <\/code><\/pre>\n\n\n\n<p><strong>Failure code\/ victim workstation<\/strong><\/p>\n\n\n\n<p>Show 4625 event where substatus is 0xc000006A or 0xc0000064 . Including WorkstationName of the attacker.<\/p>\n\n\n\n<ul>\n<li>0xc0000064: user name does not exist<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>0xc000006A: user name is correct but the password is wrong<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"166\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-53-46-1024x166.png\" alt=\"\" class=\"wp-image-4520\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-53-46-1024x166.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-53-46-300x49.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-53-46-768x125.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-53-46-1536x250.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-53-46-2048x333.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-53-46-585x95.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityEvent\n| where EventID == 4625\n| where (SubStatus == \"0xc000006A\" or SubStatus == \"0xc0000064\")\n| project TimeGenerated, EventID, WorkstationName, Computer, Account, Activity, LogonTypeName, LogonProcessName, LogonType, SubStatus<\/code><\/pre>\n\n\n\n<p><strong>Attempt including Failed \/ Succeeded ( succeeded based on EventID 4624)<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"268\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-17-09-1024x268.png\" alt=\"\" class=\"wp-image-4523\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-17-09-1024x268.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-17-09-300x79.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-17-09-768x201.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-17-09-1536x402.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-17-09-585x153.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-17-09.png 2039w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityEvent\n| where EventID in (4625, 4624) and AccountType == 'User'\n| summarize Attempts = count(), Failed = countif(EventID == 4625), Succeeded = countif(EventID == 4624) by Account<\/code><\/pre>\n\n\n\n<p><strong>Suspicious failed logins, by IP address. Event shows: Succeeded, Attempts, Unique account used<\/strong><\/p>\n\n\n\n<p>Credits: <a href=\"https:\/\/pixelrobots.co.uk\/2019\/07\/query-active-directory-security-events-using-azure-log-analytics-on-the-cheap\/\">Pixelrobots.co.uk<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"426\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-23-01-1024x426.png\" alt=\"\" class=\"wp-image-4524\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-23-01-1024x426.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-23-01-300x125.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-23-01-768x319.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-23-01-1536x639.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-23-01-585x243.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-23-01.png 1851w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityEvent\n| where AccountType == 'User'\n| where EventID in (4624, 4625)\n| summarize Unique_Accounts = dcount(Account), Attempts = count(), Succeeded=countif(EventID == 4624), Failed=countif(EventID == 4625) by IpAddress\n| where Failed &gt; 0\n| order by Succeeded&gt;0, todouble(Succeeded)\/Attempts asc, Attempts desc\n| project IP = IpAddress, Succeeded, Attempts, Unique_Accounts<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Sentinel Incidents<\/h2>\n\n\n\n<p>Based on some of the pre-build Analytics rules &#8211; Microsoft Sentinel gives a couple of alerts that indicate successful RDP Brute Force attempts.<\/p>\n\n\n\n<p><strong>Analytics rules related to RDP activity<\/strong><\/p>\n\n\n\n<ul>\n<li>Rare RDP Connections<\/li>\n\n\n\n<li>RDP Brute Force Attack<\/li>\n\n\n\n<li>RDP Nesting<\/li>\n\n\n\n<li>ML Behavior Analytics: Anomalous RDP login detections<\/li>\n\n\n\n<li>Multiple authentication failures followed by a success<\/li>\n\n\n\n<li>Fusion Alert<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Fusion alert &#8211; Preview: Possible multistage attack activities detected by Fusion <\/strong><\/h3>\n\n\n\n<p>Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain.<\/p>\n\n\n\n<p>Recommended: <a href=\"https:\/\/www.youtube.com\/watch?v=lmXHAAFBoPw&amp;ab_channel=MicrosoftSecurityCommunity\">Webinar Fusion ML Detections | Microsoft Security Community<\/a><\/p>\n\n\n\n<p>Fusion is enabled by default in Microsoft Sentinel, as an&nbsp;analytics rule&nbsp;called&nbsp;<strong>Advanced multistage attack detection<\/strong>.<\/p>\n\n\n\n<p>Sentinel Incident:<\/p>\n\n\n\n<p>It starts with suspicious authentication activity (PreAttack), following (Initial Access) which confirms the successful brute force attack.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"453\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-30-21-1024x453.png\" alt=\"\" class=\"wp-image-4516\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-30-21-1024x453.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-30-21-300x133.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-30-21-768x339.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-30-21-1536x679.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-30-21-585x259.png 585w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-30-21.png 1941w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Sentinel Investigation:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"497\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-28-59-1024x497.png\" alt=\"\" class=\"wp-image-4515\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-28-59-1024x497.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-28-59-300x146.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-28-59-768x373.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-28-59-1536x745.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-28-59-2048x994.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-28-59-585x284.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><span style=\"font-size: revert; color: initial;\">Multiple authentication failures followed by a success<\/span> <\/strong><\/h3>\n\n\n\n<p>Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt<\/p>\n\n\n\n<p>Sentinel Investigation:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"421\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-58-11-1024x421.png\" alt=\"\" class=\"wp-image-4534\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-58-11-1024x421.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-58-11-300x123.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-58-11-768x316.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-58-11-1536x631.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-58-11-2048x842.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-58-11-585x240.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Sentinel Alert details:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"242\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-54-08-1024x242.png\" alt=\"\" class=\"wp-image-4533\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-54-08-1024x242.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-54-08-300x71.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-54-08-768x181.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-54-08-1536x363.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-54-08-2048x483.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_22-54-08-585x138.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Defender for Cloud alerts<\/h2>\n\n\n\n<p>Enabling the Analytics rule &#8220;Create incidents based on Microsoft Defender for Cloud&#8221; creates incidents coming from Defender for Cloud in Microsoft Sentinel. The following alerts are created:<\/p>\n\n\n\n<ul>\n<li>Suspicious authentication activity<\/li>\n\n\n\n<li>Successful brute force attack<\/li>\n\n\n\n<li>Successful logon from known brute-force source<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"667\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_23-54-41-1024x667.png\" alt=\"\" class=\"wp-image-4537\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_23-54-41-1024x667.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_23-54-41-300x195.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_23-54-41-768x500.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_23-54-41-1536x1001.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_23-54-41-2048x1334.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_23-54-41-585x381.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Defender for Cloud shows all information that is related to the successful brute force attack. Affected resource, number of successful authentication attempts\/ failed authentication attempts to host, and more useful information.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-38-03-1024x514.png\" alt=\"\" class=\"wp-image-4518\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-38-03-1024x514.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-38-03-300x151.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-38-03-768x386.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-38-03-1536x772.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-38-03-2048x1029.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_20-38-03-585x294.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Sentinel Investigation:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"461\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-28-42-1-1024x461.png\" alt=\"\" class=\"wp-image-4535\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-28-42-1-1024x461.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-28-42-1-300x135.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-28-42-1-768x346.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-28-42-1-1536x692.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-28-42-1-2048x923.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-28-42-1-585x264.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Custom Sentinel Analytics<\/h2>\n\n\n\n<p>Build-in there are rules available for detecting some of the RDP brute force attempts. When needed it is possible to enable custom Analytics which gives an incident\/ alert and create custom mappings.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SecurityEvent\n| where EventID == 4625\n| project TimeGenerated, EventID, WorkstationName, LogonTypeName, Account, Computer, IpAddress\n| extend AccountEntity = Account\n| extend IPEntity = IpAddress\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"642\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27-1024x642.png\" alt=\"\" class=\"wp-image-4526\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27-1024x642.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27-300x188.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27-768x482.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27-1536x963.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27-2048x1285.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27-585x367.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Bonus content T-Pot Honeypot<\/h2>\n\n\n\n<p>T-Pot Honeypot is&nbsp;a virtual machine with multiple Honeypots created by Deutsche Telekom. It is based on docker images which makes it quite easy to deploy, it combines some technologies, such as docker, ElasticSearch, and others. The honeypot daemons as well as other support components are dockered.<\/p>\n\n\n\n<p>More information: <a href=\"https:\/\/github.com\/telekom-security\/tpotce\">Github.com\/telekom-security\/tpotce<\/a><\/p>\n\n\n\n<p>T-Pot can be used for honeypot data collection which is focussing on more public services. T-Pot launched out of the box a standard set of docker containers.<\/p>\n\n\n\n<p>The following honeypots are available:<\/p>\n\n\n\n<ul>\n<li><a href=\"https:\/\/github.com\/huuck\/ADBHoney\">adbhoney<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Cymmetria\/ciscoasa_honeypot\">ciscoasa<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/MalwareTech\/CitrixHoneypot\">citrixhoneypot<\/a>,<\/li>\n\n\n\n<li><a href=\"http:\/\/conpot.org\/\">conpot<\/a>,<\/li>\n\n\n\n<li><a href=\"http:\/\/www.micheloosterhof.com\/cowrie\/\">cowrie<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/aelth\/ddospot\">ddospot<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/nsmfoo\/dicompot\">dicompot<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/DinoTools\/dionaea\">dionaea<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/gitlab.com\/bontchev\/elasticpot\">elasticpot<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/skeeto\/endlessh\">endlessh<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/mushorg\/glutton\">glutton<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/johnnykv\/heralding\">heralding<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/yunginnanet\/HellPot\">hellpot<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/qeeqbox\/honeypots\">honeypots<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/foospidy\/HoneyPy\">honeypy<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/SecureAuthCorp\/HoneySAP\">honeysap<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/armedpot\/honeytrap\/\">honeytrap<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/gitlab.com\/bontchev\/ipphoney\">ipphoney<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/thomaspatzke\/Log4Pot\">log4pot<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/awhitehatter\/mailoney\">mailoney<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/schmalle\/medpot\">medpot<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/cypwnpwnsocute\/RedisHoneyPot\">redishoneypot<\/a>,<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/citronneur\/rdpy\">rdpy<\/a>,<\/li>\n\n\n\n<li><a href=\"http:\/\/mushmush.org\/\">snare<\/a>,<\/li>\n\n\n\n<li><a href=\"http:\/\/mushmush.org\/\">tanner<\/a><\/li>\n<\/ul>\n\n\n\n<p>The Dashboard section contains a list of pre-built dashboards by the T-Pot team. The <strong>&gt;T-Pot<\/strong> dashboard will show us all the data together, in one place, while the other dashboards will show only data from a specific honeypot.  <\/p>\n\n\n\n<p>T-Pot runs a short time in my demo environment. Interesting is the amount of data that is available (IP mappings\/ ASN\/ Passwords). <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"516\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-28-47-1024x516.png\" alt=\"\" class=\"wp-image-4511\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-28-47-1024x516.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-28-47-300x151.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-28-47-768x387.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-28-47-1536x774.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-28-47-2048x1031.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-28-47-585x295.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"373\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-38-59-1024x373.png\" alt=\"\" class=\"wp-image-4513\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-38-59-1024x373.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-38-59-300x109.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-38-59-768x280.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-38-59-1536x559.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-38-59-2048x746.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-38-59-585x213.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>RDPY<\/strong>: RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server-side). RDPY is built over the event-driven network engine Twisted. RDPY support standard RDP security layer, RDP over SSL and NLA authentication (through ntlmv2 authentication protocol).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"424\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-31-38-1024x424.png\" alt=\"\" class=\"wp-image-4512\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-31-38-1024x424.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-31-38-300x124.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-31-38-768x318.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-31-38-1536x636.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-31-38-2048x848.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_00-31-38-585x242.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Prevent the RDP brute force attacks<\/h2>\n\n\n\n<p>With Microsoft Sentinel you can detect the types of RDP Brute force attacks. It is better to prevent an attack from happening. Based on the data explained in the blog; RDP attacks are still heavily used. <strong>Organizations should never put RDP directly on the Internet<\/strong>. There are multiple solutions available for protecting against RDP Brute force attacks.&nbsp;<\/p>\n\n\n\n<p>Features which can be used;<\/p>\n\n\n\n<ul>\n<li>VPN<\/li>\n\n\n\n<li>JIT (Just-in-time) access<\/li>\n\n\n\n<li>Azure Bastion<\/li>\n\n\n\n<li>MFA<\/li>\n<\/ul>\n\n\n\n<p>RDP configuration should be a high-priority item in all IT environments. The next blog will focus more on the attacks performed by attackers. <\/p>\n\n\n\n<p><strong>Tip:<\/strong>&nbsp;Don\u2019t use the default&nbsp;<strong>administrator&nbsp;<\/strong>name or anything including <strong>admin<\/strong>.<\/p>\n\n\n\n<p>If you have any questions regarding these topics, feel free to reach out.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For many years, abuse of Remote Desktop Protection (RDP) has been the most common root cause of all ransomware events. At the moment one of the most common attacks against VMs in Azure\/ AWS or other clouds is based on&#8230;<\/p>\n","protected":false},"author":1,"featured_media":4526,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[189],"tags":[208],"table_tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>What happens without RDP protection after 24+ hours in Microsoft Sentinel &amp; Microsoft security products<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What happens without RDP protection after 24+ hours in Microsoft Sentinel &amp; Microsoft security products\" \/>\n<meta property=\"og:description\" content=\"For many years, abuse of Remote Desktop Protection (RDP) has been the most common root cause of all ransomware events. At the moment one of the most common attacks against VMs in Azure\/ AWS or other clouds is based on...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/\" \/>\n<meta property=\"og:site_name\" content=\"Jeffrey Appel - Microsoft Security blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-23T20:18:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-27T21:19:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2484\" \/>\n\t<meta property=\"og:image:height\" content=\"1558\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jeffrey\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffrey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/\",\"url\":\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/\",\"name\":\"What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products\",\"isPartOf\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png\",\"datePublished\":\"2022-03-23T20:18:47+00:00\",\"dateModified\":\"2023-07-27T21:19:29+00:00\",\"author\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\"},\"breadcrumb\":{\"@id\":\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#primaryimage\",\"url\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png\",\"contentUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png\",\"width\":2484,\"height\":1558},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jeffreyappel.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What happens without RDP protection after 24+ hours in Microsoft Sentinel &#038; Microsoft security products\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jeffreyappel.nl\/#website\",\"url\":\"https:\/\/jeffreyappel.nl\/\",\"name\":\"Jeffrey Appel - Microsoft Security blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jeffreyappel.nl\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\",\"name\":\"Jeffrey\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"caption\":\"Jeffrey\"},\"url\":\"https:\/\/jeffreyappel.nl\/author\/contact\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/","og_locale":"en_US","og_type":"article","og_title":"What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products","og_description":"For many years, abuse of Remote Desktop Protection (RDP) has been the most common root cause of all ransomware events. At the moment one of the most common attacks against VMs in Azure\/ AWS or other clouds is based on...","og_url":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/","og_site_name":"Jeffrey Appel - Microsoft Security blog","article_published_time":"2022-03-23T20:18:47+00:00","article_modified_time":"2023-07-27T21:19:29+00:00","og_image":[{"width":2484,"height":1558,"url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png","type":"image\/png"}],"author":"Jeffrey","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jeffrey","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/","url":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/","name":"What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products","isPartOf":{"@id":"https:\/\/jeffreyappel.nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#primaryimage"},"image":{"@id":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#primaryimage"},"thumbnailUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png","datePublished":"2022-03-23T20:18:47+00:00","dateModified":"2023-07-27T21:19:29+00:00","author":{"@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42"},"breadcrumb":{"@id":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#primaryimage","url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png","contentUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2022\/03\/2022-03-22_21-33-27.png","width":2484,"height":1558},{"@type":"BreadcrumbList","@id":"https:\/\/jeffreyappel.nl\/rdp-brute-force-detection-in-microsoft-sentinel-and-other-defender-products\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jeffreyappel.nl\/"},{"@type":"ListItem","position":2,"name":"What happens without RDP protection after 24+ hours in Microsoft Sentinel &#038; Microsoft security products"}]},{"@type":"WebSite","@id":"https:\/\/jeffreyappel.nl\/#website","url":"https:\/\/jeffreyappel.nl\/","name":"Jeffrey Appel - Microsoft Security blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jeffreyappel.nl\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42","name":"Jeffrey","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","caption":"Jeffrey"},"url":"https:\/\/jeffreyappel.nl\/author\/contact\/"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/4498"}],"collection":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/comments?post=4498"}],"version-history":[{"count":32,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/4498\/revisions"}],"predecessor-version":[{"id":7293,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/4498\/revisions\/7293"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media\/4526"}],"wp:attachment":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media?parent=4498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/categories?post=4498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/tags?post=4498"},{"taxonomy":"table_tags","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/table_tags?post=4498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}