Brute Force Attack

shawn harry · ‎Jan 14 2020

Recently i noticed a Brute Force Attack occurring on a LAN AAD Joined PC. This PC is opened up to the internet using RDP on a non-standard port. Fortunately the account the attackers guessed was non-existent. I noticed this attack whilst doing routine FW maintenance and noticed on the target PC a number of failed logins in the audit logs. This PC is protected by MCAS, as well as enrolled into MDATP & Intune and only Cloud Identity's using Windows Hello are able to login to the PC.

Im curious as to why MDATP did not detect this behaviour or is this something MDATP cant handle as the attacker was targeting local accounts on the PC?

shawn harry · ‎Mar 03 2020

@shawn harry Can anyone MDATP PG ideally provide some guidance here please?

David Caddick · ‎Mar 26 2020

@shawn harry Just wondering if you had Azure ATP installed - it sounds like that is the tool that would normally pick up this behaviour?

shawn harry · ‎Mar 27 2020

@David Caddick Hi David. No not using Azure ATP. My environment is cloud only so Azure ATP is not an option. This was a local account that was attacked though so id expect the heuristics at least in MDATP to detect a brute force at least.

Brute Force Attack

Brute Force Attack

Re: Brute Force Attack

Re: Brute Force Attack

Re: Brute Force Attack

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Brute Force Attack