cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATA LWG not reading Bruteforce Attacks

marc.biessy
Copper Contributor

‎Sep 26 2018 05:15 AM - last edited on ‎Nov 30 2021 10:07 AM by

‎Sep 26 2018 05:15 AM - last edited on ‎Nov 30 2021 10:07 AM by

ATA LWG not reading Bruteforce Attacks

I have two lightweight Gateways deployed in a test environment, both of those are versions 1.9.

 

When I am attempting BruteForce attacks against the DCs (around 500), no alerts are being displayed in ATA Center. However i verified and the events are created on the DC.

Is it an expected behavior ? Is there a setting, which needs to be enabled on the DC or in ATA Center ?

 

Thank you

1,262 Views
0 Likes
4 Replies
Reply
4 Replies
Tali Ash

‎Sep 27 2018 01:37 AM

‎Sep 27 2018 01:37 AM

Re: ATA LWG not reading Bruteforce Attacks

Hi Marc,

 

Which protocol did you use? NTLM or Kerberos?

I guess NTLM because you see the events in the DC, do you see events 4776?

 

You can see here the configurations that should be validated: https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step6

The LWGW supposed to read these events automatically. 

 

Thanks,

Tali

0 Likes
Reply
marc.biessy

‎Oct 09 2018 07:31 AM

‎Oct 09 2018 07:31 AM

Re: ATA LWG not reading Bruteforce Attacks

Hi Tali,

 

Thank you for your answer. I can see the events 4776, however no attacks have been detected.

0 Likes
Reply
Tali Ash

‎Oct 09 2018 08:04 AM

‎Oct 09 2018 08:04 AM

Re: ATA LWG not reading Bruteforce Attacks

Hi Marc,

 

From where did you try to generate the BF?

If normally a lot of users authenticate from this machine we won't generate BF from it.

 

Thanks,

Tali

 

0 Likes
Reply
marc.biessy

‎Oct 09 2018 09:14 AM

‎Oct 09 2018 09:14 AM

Re: ATA LWG not reading Bruteforce Attacks

I tried to generate the traffic from two different machine, first a client connected to the domain, then from the ATA Center.

I generated more than 100 error logs, which is abnormal for the account, but it wasn't reported. How does the Gateway count for user account that are locked out but for which there are still brute force attempts ?

0 Likes
Reply