Forum Discussion

shawn harry's avatar
shawn harry
Iron Contributor
Jan 14, 2020

Brute Force Attack

Recently i noticed a Brute Force Attack occurring on a LAN AAD Joined PC. This PC is opened up to the internet using RDP on a non-standard port. Fortunately the account the attackers guessed was non-existent. I noticed this attack whilst doing routine FW maintenance and noticed on the target PC a number of failed logins in the audit logs. This PC is protected by MCAS, as well as enrolled into MDATP & Intune and only Cloud Identity's using Windows Hello are able to login to the PC. 

Im curious as to why MDATP did not detect this behaviour or is this something MDATP cant handle as the attacker was targeting local accounts on the PC? 

  • shawn harry  Just wondering if you had Azure ATP installed - it sounds like that is the tool that would normally pick up this behaviour?

    • shawn harry's avatar
      shawn harry
      Iron Contributor

      David Caddick Hi David. No not using Azure ATP. My environment is cloud only so Azure ATP is not an option. This was a local account that was attacked though so id expect the heuristics at least in MDATP to detect a brute force at least. 

Resources