cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Corre: Successfull Local Host Login after Brute Force Attempts

Hi,

I want to learn about something "Successfull Local Host Login after Brute Force Attempts" correlation rule.

In this rule there is a group by (Destination IP) So a local host is trying a brute force after the first events (10 mins 10 times) another local host logins successfully. But they are different localhosts.These steps are correct but Group by Destination IP is the default value that our DC server's.

What do you think about this? Is it normal?

Thanks.

7 Replies
kmc
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: Corre: Successfull Local Host Login after Brute Force Attempts

This detection searches for the trigger of "Brute Force Login Attempts on a Local Host" (rule 47-4000010) followed by an event in the normalization category of "Host Login" with an Event Subtype of "Success", and a context of either "External to Internal" or "Internal to Internal".

Yes its normal but successful login by any other host during the situation of brute force by any other host is not normal.

Re: Corre: Successfull Local Host Login after Brute Force Attempts

Hi

Thanks for fast response.

You can see at the image (red effect) Group By: Destination IP

This rule is correct as you said before but at the even logs i see that the destination ip is DomainController's ip so in every windows logon event the server check the domain from DC. I think this correlation rule is not totally correct. we should add AND the destination IP is not DC's IP rule to this rule.

groupby_destinationIP.JPG

kmc
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 8

Re: Corre: Successfull Local Host Login after Brute Force Attempts

yes you can exclude, on the other hand you can also add source IP into the group by filed so when ever multiple failed login attempts  by Unique IP to unique destination IP followed by successful login from the same source and destination IP will trigger the event.

Re: Corre: Successfull Local Host Login after Brute Force Attempts

Thanks

If i change group by like "Source IP ,Destination IP" when the same source ip attempts brute force to the destination IP AND then the same source IP logons the same destination IP successfully and the destination IP is not the DC Server's: action alert

Is it useful?

kmc
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: Corre: Successfull Local Host Login after Brute Force Attempts

yes off course, but it never triggers brute-force alerts for DC servers destined IPs

jamesmac
Level 10
Report Inappropriate Content
Message 7 of 8

Re: Corre: Successfull Local Host Login after Brute Force Attempts

Bumping this...

I have a somewhat different issue. I want to detect someone trying to get bruteforce access to Office 365/Azure AD.

Now the customer funnels all traffic through one IP address, so I get something like this triggering an alert:

  • Failed login from user A at 1.1.1.1
  • Failed login from user B at 1.1.1.1
  • Failed login from user A at 1.1.1.1
  • Failed login from user B at 1.1.1.1
  • Failed login from user C at 1.1.1.1
  • Successful login from user D at 1.1.1.1

meaning I get lots of false positives . I need the logic to force the successful login to be from the same Source user as well as the same source IP address. How would I do that? (on v11.1.3)

 

Many thanks

James

David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

Re: Corre: Successfull Local Host Login after Brute Force Attempts

Hi, Great Quation.

just add to the "Group by" field on the top also "Source User"

how do you do it?

click on the Star icon in the right.

choose "Source User" and move it to the right 

dont forget to rollout 🙂

 

Best Regards👍👍👍

David.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community