Brute Force Attack

%3CLINGO-SUB%20id%3D%22lingo-sub-1106931%22%20slang%3D%22en-US%22%3EBrute%20Force%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106931%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%20i%20noticed%20a%20Brute%20Force%20Attack%20occurring%20on%20a%20LAN%20AAD%20Joined%20PC.%20This%20PC%20is%20opened%20up%20to%20the%20internet%20using%20RDP%20on%20a%20non-standard%20port.%20Fortunately%20the%20account%20the%20attackers%20guessed%20was%20non-existent.%20I%20noticed%20this%20attack%20whilst%20doing%20routine%20FW%20maintenance%20and%20noticed%20on%20the%20target%20PC%20a%20number%20of%20failed%20logins%20in%20the%20audit%20logs.%20This%20PC%20is%20protected%20by%20MCAS%2C%20as%20well%20as%20enrolled%20into%20MDATP%20%26amp%3B%20Intune%20and%20only%20Cloud%20Identity's%20using%20Windows%20Hello%20are%20able%20to%20login%20to%20the%20PC.%26nbsp%3B%3C%2FP%3E%3CP%3EIm%20curious%20as%20to%20why%20MDATP%20did%20not%20detect%20this%20behaviour%20or%20is%20this%20something%20MDATP%20cant%20handle%20as%20the%20attacker%20was%20targeting%20local%20accounts%20on%20the%20PC%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1207858%22%20slang%3D%22en-US%22%3ERe%3A%20Brute%20Force%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1207858%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8206%22%20target%3D%22_blank%22%3E%40shawn%20harry%3C%2FA%3E%26nbsp%3BCan%20anyone%20MDATP%20PG%20ideally%20provide%20some%20guidance%20here%20please%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1257422%22%20slang%3D%22en-US%22%3ERe%3A%20Brute%20Force%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257422%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8206%22%20target%3D%22_blank%22%3E%40shawn%20harry%3C%2FA%3E%26nbsp%3B%20Just%20wondering%20if%20you%20had%20Azure%20ATP%20installed%20-%20it%20sounds%20like%20that%20is%20the%20tool%20that%20would%20normally%20pick%20up%20this%20behaviour%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258428%22%20slang%3D%22en-US%22%3ERe%3A%20Brute%20Force%20Attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3BHi%20David.%20No%20not%20using%20Azure%20ATP.%20My%20environment%20is%20cloud%20only%20so%20Azure%20ATP%20is%20not%20an%20option.%20This%20was%20a%20local%20account%20that%20was%20attacked%20though%20so%20id%20expect%20the%20heuristics%20at%20least%20in%20MDATP%20to%20detect%20a%20brute%20force%20at%20least.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Recently i noticed a Brute Force Attack occurring on a LAN AAD Joined PC. This PC is opened up to the internet using RDP on a non-standard port. Fortunately the account the attackers guessed was non-existent. I noticed this attack whilst doing routine FW maintenance and noticed on the target PC a number of failed logins in the audit logs. This PC is protected by MCAS, as well as enrolled into MDATP & Intune and only Cloud Identity's using Windows Hello are able to login to the PC. 

Im curious as to why MDATP did not detect this behaviour or is this something MDATP cant handle as the attacker was targeting local accounts on the PC? 

3 Replies

@shawn harry Can anyone MDATP PG ideally provide some guidance here please? 

@shawn harry  Just wondering if you had Azure ATP installed - it sounds like that is the tool that would normally pick up this behaviour?

@David Caddick Hi David. No not using Azure ATP. My environment is cloud only so Azure ATP is not an option. This was a local account that was attacked though so id expect the heuristics at least in MDATP to detect a brute force at least.