cancel
Showing results for 
Search instead for 
Did you mean: 
mehmetemin
Level 7

Corre: Successfull Local Host Login after Brute Force Attempts

Hi,

I want to learn about something "Successfull Local Host Login after Brute Force Attempts" correlation rule.

In this rule there is a group by (Destination IP) So a local host is trying a brute force after the first events (10 mins 10 times) another local host logins successfully. But they are different localhosts.These steps are correct but Group by Destination IP is the default value that our DC server's.

What do you think about this? Is it normal?

Thanks.

0 Kudos
5 Replies
kmc
Level 12

Re: Corre: Successfull Local Host Login after Brute Force Attempts

This detection searches for the trigger of "Brute Force Login Attempts on a Local Host" (rule 47-4000010) followed by an event in the normalization category of "Host Login" with an Event Subtype of "Success", and a context of either "External to Internal" or "Internal to Internal".

Yes its normal but successful login by any other host during the situation of brute force by any other host is not normal.

0 Kudos
mehmetemin
Level 7

Re: Corre: Successfull Local Host Login after Brute Force Attempts

Hi

Thanks for fast response.

You can see at the image (red effect) Group By: Destination IP

This rule is correct as you said before but at the even logs i see that the destination ip is DomainController's ip so in every windows logon event the server check the domain from DC. I think this correlation rule is not totally correct. we should add AND the destination IP is not DC's IP rule to this rule.

groupby_destinationIP.JPG

0 Kudos
kmc
Level 12

Re: Corre: Successfull Local Host Login after Brute Force Attempts

yes you can exclude, on the other hand you can also add source IP into the group by filed so when ever multiple failed login attempts  by Unique IP to unique destination IP followed by successful login from the same source and destination IP will trigger the event.

0 Kudos
mehmetemin
Level 7

Re: Corre: Successfull Local Host Login after Brute Force Attempts

Thanks

If i change group by like "Source IP ,Destination IP" when the same source ip attempts brute force to the destination IP AND then the same source IP logons the same destination IP successfully and the destination IP is not the DC Server's: action alert

Is it useful?

0 Kudos
kmc
Level 12

Re: Corre: Successfull Local Host Login after Brute Force Attempts

yes off course, but it never triggers brute-force alerts for DC servers destined IPs

0 Kudos