Jan 17 2018 03:09 AM
Our auditors request a detection capability for brute force attemps (even if this is unlikely with a ten char complex password), so I tried to simulate this but ATP did not identify any suspicious activity.
Is this something that could be added?
This is the (old fashioned) script I used for this simulation:
for /l %i in (1,1,100) do net use x: \\<my domain name>\c$ /user:administrator BadPassword#%i
Jan 17 2018 05:32 AM
Hi Steffen,
Had the Administrator user logged successfully from the machine you were running the script?
If your script is using the same password all the time for the same user, I do not think this is really considered a brute-force.
There are two flavors of brute-force detection.
Jan 18 2018 01:04 AM
Hi Gerson,
the script uses 100 different passwords to connect. I re-run it after successfully logging in with the account first, but there is no event triggered. I also tried multiple wrong passwords in a RDP session, maybe the trigger is very relaxed and will only identify a real machine-based Brute Force attack. I'll need to get a test tool I suppose.
Jan 18 2018 03:09 AM
Hi Steffen,
Can you try using a user account that has not successfully logged into the machine that you are running the script?
Can you also increase the password count a little?
Thanks
Gershon
Jan 22 2018 06:32 AM
Hi Gershon,
I tried with another account and a larger number of attacks - still no alerts generated. Do you have any suggestion for a real brute-force tool to see if it's possible to generate an alert at all?
Best regards
Steffen