Forum Discussion
Steffen Siguda
Jan 17, 2018Copper Contributor
Could ATP identify Brute Force attempts?
Our auditors request a detection capability for brute force attemps (even if this is unlikely with a ten char complex password), so I tried to simulate this but ATP did not identify any suspicious activity.
Is this something that could be added?
This is the (old fashioned) script I used for this simulation:
for /l %i in (1,1,100) do net use x: \\<my domain name>\c$ /user:administrator BadPassword#%i
4 Replies
Sort By
- Gerson LevitzIron Contributor
Hi Steffen,
Had the Administrator user logged successfully from the machine you were running the script?
If your script is using the same password all the time for the same user, I do not think this is really considered a brute-force.
There are two flavors of brute-force detection.
- Steffen SigudaCopper Contributor
Hi Gerson,
the script uses 100 different passwords to connect. I re-run it after successfully logging in with the account first, but there is no event triggered. I also tried multiple wrong passwords in a RDP session, maybe the trigger is very relaxed and will only identify a real machine-based Brute Force attack. I'll need to get a test tool I suppose.
- Gerson LevitzIron Contributor
Hi Steffen,
Can you try using a user account that has not successfully logged into the machine that you are running the script?
Can you also increase the password count a little?
Thanks
Gershon