Stats
Actions
Tags
From asi
Detects RDP brute force attacks by parsing Windows Security EVTX logs with python-evtx, analyzing Event IDs 4625/4624 for failed logons, IP frequency, NLA failures, and compromises. For threat hunting and SOC analysis.
How this skill is triggered — by the user, by Claude, or both
Slash command
/asi:detecting-rdp-brute-force-attacksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
RDP brute force attacks target Windows Remote Desktop Protocol services by attempting rapid credential guessing against exposed RDP endpoints. Detection relies on analyzing Windows Security Event Logs for Event ID 4625 (failed logon with Logon Type 10 or 3) and correlating with Event ID 4624 (successful logon) to identify compromised accounts. This skill covers parsing EVTX files with python-ev...
RDP brute force attacks target Windows Remote Desktop Protocol services by attempting rapid credential guessing against exposed RDP endpoints. Detection relies on analyzing Windows Security Event Logs for Event ID 4625 (failed logon with Logon Type 10 or 3) and correlating with Event ID 4624 (successful logon) to identify compromised accounts. This skill covers parsing EVTX files with python-evtx, identifying attack patterns through source IP frequency analysis, detecting NLA bypass attempts, and generating actionable detection reports.
python-evtx, lxml librariesExport Windows Security logs to EVTX format using Event Viewer or wevtutil:
wevtutil epl Security C:\logs\security.evtx
Use python-evtx to parse Event ID 4625 entries, extracting source IP, target username, failure reason (Sub Status), and Logon Type fields.
Identify brute force patterns by:
Produce a JSON report with top attacking IPs, targeted accounts, time-based analysis, and compromise indicators.
JSON report containing:
npx claudepluginhub plurigrid/asi --plugin asiAnalyzes Windows Security Event Logs (EVTX) to detect RDP brute force attacks by parsing failed logon events (4625), successful logons after failures (4624), NLA failures, and source IP frequency.
Analyzes Windows Security Event Logs (EVTX) to detect RDP brute force attacks by parsing failed logon events (4625), successful logons after failures (4624), NLA failures, and source IP frequency.
Detects RDP brute-force attacks by parsing Windows Security EVTX logs for failed logins (4625), successful logins after failures (4624), source IP frequencies, and NLA bypasses using python-evtx.