Alerts doesn't works? - EDR source

Hi DylanInfosec,

thank you very much for the explanation on the rdp part, it was very thorough.

In this moment i'm more interested on the linux part because I ran various test with the https://github.com/redcanaryco/atomic-red-team and the and I can't understand if it's normal that they aren't detected, but probably yes.

This is the rootkit test that I mentioned and I can't see the alert: 

I also tried these https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md and these works with the alert:

I also ran the default test for onboarding on linux (as you mentioned before) and it works as expected, so the defender is installed correctly.

So my opinion at the momenti is that the Windows part is accurately.

Instead, the linux part not so much.

Thanks in advance for the help

Hey DS99 ,

In the Device Timeline you will notice that almost every lined is tagged with an ATT&CK TTP that COULD be associated with the event but that doesn't mean, that's what occurred. When first getting started with MDE this can be very confusing and I'll admit, I thought the same thing. The alerts displayed on the Device Timeline will stick out as they have the detection name and severity next to it, see here:

taken from:  https://learn.microsoft.com/en-us/defender-endpoint/device-timeline-event-flag

And just to confirm, you confirmed everything was working with one of these: EDR detection test for verifying device's onboarding and reporting services

I'll be honest, I can't for the life of me recall if it will alert specifically on rdp bruteforce OOB nor remember seeing alerts triggered outside of my own or via Defender for Identity. There are tons of community created detections you can save in your instance and blogs on the matter. Also, some cool research by Microsoft A probabilistic time series model for detecting RDP inbound brute force attacks and Windows 11 development for built-in detection and prevention Windows 11 now blocks RDP brute-force attacks by default

You're more likely to receive an incident with alerts grouped under a broader name, "Credential Access by single user" or "Suspicious RDP connections".

P.S. If I remember correctly, Microsoft, when brought in for active investigations will ask to deploy MDI in the environment due to it's robust detection capabilities. And if you have MDE deployed to servers, it's now basically a one click install from the XDR: Microsoft Defender for Identity

KQL for RDP Bruteforce - DeviceLogonEvents

DeviceLogonEvents | where LogonType == "RemoteInteractive" and ActionType == "LogonFailed" | summarize FailedAttempts = count() by DeviceName, RemoteIP, bin(Timestamp, 20m) | where FailedAttempts >= 5 | project Timestamp, DeviceName, RemoteIP, FailedAttempts

This will take all logon events from all devices and then summarize each one into it's own bucket and display those where at least 5 RDP logon attempts occurred within a 20 minutes bucket of time. Obviously, feel free to adjust this for what best fits your environment and your comfort level.

One Microsoft-owned resource you can use tot test your MDE implementation is the Microsoft Defender Testground

Another amazing tool you'll need for your journey; KQL Search

Hopefully this helps a bit.

Good luck,

Dylan