Back to All Scenarios
PASSEDsecurity / brute_force
RDP Brute Force — Distributed Attack
Multiple IP addresses are brute forcing RDP on a Windows server exposed to the internet. 10 IPs rotating through common username/password combinations.
Pattern
UNKNOWN
Expected: BRUTE_FORCE_ATTACK
Severity
MEDIUM
Confidence
68%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | BRUTE_FORCE_ATTACK | UNKNOWN | |
| Severity Assessment | CRITICAL | MEDIUM | |
| Incident Correlation | N/A | None | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Windows Server 2022. RDP on port 3389 exposed to internet. No NLA required. 10 source IPs. 200 attempts/min total. Account lockout not configured.
Injected Error Messages (1)
RDP brute force — distributed attack from 10 IPs, 200 failed login attempts per minute, Event ID 4625 flooding Security log, NLA not enforced, account lockout policy missing
Neural Engine Root Cause Analysis
Unrecognized error pattern — this may be a new type of failure not yet cataloged.
Remediation Plan
Trigger autonomous healing to diagnose and fix. Manual investigation may be needed if healing cannot resolve.
Improvements Applied
- Pattern unrecognized — consider adding keywords for BRUTE_FORCE_ATTACK
- Severity: MEDIUM (expected CRITICAL)
Tested: 2026-04-02Monitors: 1 | Incidents: 1Test ID: cmnhnoo5z0012lig7akduntym