Monday, September 30, 2019

Brute Force Attack in Windows System - Detection

Brute force attack is defined as the type of attack where user tries to authenticate into the system with different possible passwords. This type of attack is also known as Trial and Error attack or Exhaustive Search attack. We can detect such attack using available SIEM tool, however, we first need to define scope of detection.

What do we call Successful Brute Force Attack?
Multiple failed login events followed by successful login. So we need to write an alert rules that generates notification whenever such events happen. There are two possible scenarios for our rule
  1. Multiple failed login followed by successful login for same user accounts
  2. Multiple failed login followed by successful login for same source IP address
NOTE: we need to define what multiple means. Is it 3, 4, 5, 6 or more failed followed by successful? Another thing to ponder upon is the time duration. What should be the duration within which if such events happen is brute force attack? is it 1, 2, 3, 4 or 5 minutes?

What is the difference between these two?
First condition checks for user whose account is being exploited with different password variation. This does not take into account how many different workstation is being used for the exploit.

Query for this case will be something like below:
[5 Failed Login] followed by [Successful Login] on same user

While second condition checks for source address from where multiple user accounts are being tried.
[5 Failed Login] followed by [Successful Login] on same source IP address

How to use this in Windows environment?
We know event id 4625 is for failed user logins and 4624 is for successful user logins. So these two events will be used to detect possible brute force attack.

  1. [5 event_id=4625 user=*] followed by [event_id=4624 user=*] on same user within 1 minute
  2. [5 event_id=4625 source_address=* ] followed by [event_id=4624 source_address=*] on same source_address within 1 minute | distinct_count(user) as distinctUser by source_address | search distinctUser>1 

What should you do after this alert is fired?
When this event is triggered the following action should be done
  • Investigate the source IP address and/or username

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)