Could ATP identify Brute Force attempts?

%3CLINGO-SUB%20id%3D%22lingo-sub-145861%22%20slang%3D%22en-US%22%3ECould%20ATP%20identify%20Brute%20Force%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145861%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20auditors%20request%20a%20detection%20capability%20for%20brute%20force%20attemps%20(even%20if%20this%20is%20unlikely%20with%20a%20ten%20char%20complex%20password)%2C%20so%20I%20tried%20to%20simulate%20this%20but%20ATP%20did%20not%20identify%20any%20suspicious%20activity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20this%20something%20that%20could%20be%20added%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20(old%20fashioned)%20script%20I%20used%20for%20this%20simulation%3A%3C%2FP%3E%0A%3CP%3Efor%20%2Fl%20%25i%20in%20(1%2C1%2C100)%20do%20net%20use%20x%3A%20%5C%5C%3CEM%3E%3CMY%20domain%3D%22%22%20name%3D%22%22%3E%3C%2FMY%3E%3C%2FEM%3E%5Cc%24%20%2Fuser%3Aadministrator%20BadPassword%23%25i%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-147357%22%20slang%3D%22en-US%22%3ERe%3A%20Could%20ATP%20identify%20Brute%20Force%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-147357%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Gershon%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20tried%20with%20another%20account%20and%20a%20larger%20number%20of%20attacks%20-%20still%20no%20alerts%20generated.%20Do%20you%20have%20any%20suggestion%20for%20a%20real%20brute-force%20tool%20to%20see%20if%20it's%20possible%20to%20generate%20an%20alert%20at%20all%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%3C%2FP%3E%0A%3CP%3ESteffen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-146275%22%20slang%3D%22en-US%22%3ERe%3A%20Could%20ATP%20identify%20Brute%20Force%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-146275%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Steffen%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20try%20using%20a%20user%20account%20that%20has%20not%20successfully%20logged%20into%20the%20machine%20that%20you%20are%20running%20the%20script%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20also%20increase%20the%20password%20count%20a%20little%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3EGershon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-146248%22%20slang%3D%22en-US%22%3ERe%3A%20Could%20ATP%20identify%20Brute%20Force%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-146248%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Gerson%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethe%20script%20uses%20100%20different%20passwords%20to%20connect.%20I%20re-run%20it%20after%20successfully%20logging%20in%20with%20the%20account%20first%2C%20but%20there%20is%20no%20event%20triggered.%20I%20also%20tried%20multiple%20wrong%20passwords%20in%20a%20RDP%20session%2C%20maybe%20the%20trigger%20is%20very%20relaxed%20and%20will%20only%20identify%20a%20real%20machine-based%20Brute%20Force%20attack.%20I'll%20need%20to%20get%20a%20test%20tool%20I%20suppose.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-145898%22%20slang%3D%22en-US%22%3ERe%3A%20Could%20ATP%20identify%20Brute%20Force%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-145898%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Steffen%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHad%20the%20Administrator%20user%20logged%20successfully%20from%20the%20machine%20you%20were%20running%20the%20script%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20your%20script%20is%20using%20the%20same%20password%20all%20the%20time%20for%20the%20same%20user%2C%20I%20do%20not%20think%20this%20is%20really%20considered%20a%20brute-force.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20flavors%20of%20brute-force%20detection.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%23suspicious-authentication-failures%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%23suspicious-authentication-failures%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%23brute-force-attack-using-ldap-simple-bind%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%23brute-force-attack-using-ldap-simple-bind%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Our auditors request a detection capability for brute force attemps (even if this is unlikely with a ten char complex password), so I tried to simulate this but ATP did not identify any suspicious activity.

 

Is this something that could be added?

 

This is the (old fashioned) script I used for this simulation:

for /l %i in (1,1,100) do net use x: \\<my domain name>\c$ /user:administrator BadPassword#%i

4 Replies
Highlighted

Hi Steffen, 

 

Had the Administrator user logged successfully from the machine you were running the script? 

 

If your script is using the same password all the time for the same user, I do not think this is really considered a brute-force. 

 

There are two flavors of brute-force detection. 

https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide#suspicious-auth...

 

https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide#brute-force-att...

 

 

Highlighted

Hi Gerson,

 

the script uses 100 different passwords to connect. I re-run it after successfully logging in with the account first, but there is no event triggered. I also tried multiple wrong passwords in a RDP session, maybe the trigger is very relaxed and will only identify a real machine-based Brute Force attack. I'll need to get a test tool I suppose.

 

 

Highlighted

Hi Steffen, 

 

Can you try using a user account that has not successfully logged into the machine that you are running the script? 

 

Can you also increase the password count a little? 

 

Thanks

Gershon

Highlighted

Hi Gershon,

 

I tried with another account and a larger number of attacks - still no alerts generated. Do you have any suggestion for a real brute-force tool to see if it's possible to generate an alert at all?

 

Best regards

Steffen