Forum Discussion

Copper Contributor

Sep 26, 2018

ATA LWG not reading Bruteforce Attacks

I have two lightweight Gateways deployed in a test environment, both of those are versions 1.9. When I am attempting BruteForce attacks against the DCs (around 500), no alerts are being displayed...

Tali Ash

Former Employee

Sep 27, 2018

Hi Marc,

Which protocol did you use? NTLM or Kerberos?

I guess NTLM because you see the events in the DC, do you see events 4776?

You can see here the configurations that should be validated: https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step6

The LWGW supposed to read these events automatically.

Thanks,

Tali

marc.biessy

Copper Contributor

Oct 09, 2018

Hi Tali,

Thank you for your answer. I can see the events 4776, however no attacks have been detected.

Tali Ash
Former Employee
Oct 09, 2018
Hi Marc,

From where did you try to generate the BF?

If normally a lot of users authenticate from this machine we won't generate BF from it.

Thanks,

Tali
- marc.biessy
  Copper Contributor
  Oct 09, 2018
  I tried to generate the traffic from two different machine, first a client connected to the domain, then from the ATA Center.
  I generated more than 100 error logs, which is abnormal for the account, but it wasn't reported. How does the Gateway count for user account that are locked out but for which there are still brute force attempts ?