Jan 14 2020 02:20 AM
Recently i noticed a Brute Force Attack occurring on a LAN AAD Joined PC. This PC is opened up to the internet using RDP on a non-standard port. Fortunately the account the attackers guessed was non-existent. I noticed this attack whilst doing routine FW maintenance and noticed on the target PC a number of failed logins in the audit logs. This PC is protected by MCAS, as well as enrolled into MDATP & Intune and only Cloud Identity's using Windows Hello are able to login to the PC.
Im curious as to why MDATP did not detect this behaviour or is this something MDATP cant handle as the attacker was targeting local accounts on the PC?
Mar 03 2020 02:28 PM
@shawn harry Can anyone MDATP PG ideally provide some guidance here please?
Mar 26 2020 05:46 PM
@shawn harry Just wondering if you had Azure ATP installed - it sounds like that is the tool that would normally pick up this behaviour?
Mar 27 2020 01:08 AM
@David Caddick Hi David. No not using Azure ATP. My environment is cloud only so Azure ATP is not an option. This was a local account that was attacked though so id expect the heuristics at least in MDATP to detect a brute force at least.