I'd say using a watchlist for source user.
Based off the correlation rules currently in ESM, it looks like it is looking for the same user to fail then succeed. I guess the technical term for what I am trying to detect is a reverse brute-force. The attacker would try 1 password, lets say they use "Password". The attacker could take a list of users to see if "Password" works. I would like to detect that this kind of brute-force is occurring, and if there is a success. I would like to detect multiple failed logins on the same system from a number of different users. Then I would like to detect multiple failed logins on the same system from a number of different users with a success. This would mean an attacker found a user with a valid password that was guessed.
1 of 1 people found this helpful
The 47-4000012 Login - Brute Force Login Attempts from a Single Source rule seems to do preety much what you are talking about. If you also want to check for specific Source User just take the existing rule as a template and add check for a UserIDSrc in a watchlist.
THe sig ID you are suggesting doesnt seem to come up either. I am currently trying this bruteforce out, and I am not seeing anything from the IP address I am coming from. Sig ID 47-4000013 "Login - Successful Login after Brute Force Attempts from a Single Source" should work too, but i am not seeing this even pop up either.
1 of 1 people found this helpful
I think rule 47-4000137 "Suspicious - User Logon from Multiple IP Addresses" is probably a closer match for what you want in terms of approach. If you can switch the roles of "Source IP" and "Source User" I think that should do it.
A few caveats:
- You will have to either change the default aggregation settings or turn off aggregation for the events you want to track since the default aggregation will hide all but the last username in the aggregation group.
- Case sensitivity and user aliases need to be taken into account and these are not handled well in the correlation engine.
This is definitely helpful. The issue I am having now with this is detecting a successful login after this original event has been triggered. I have attempted to add a sequence and to detect a successful login event, and it still doesnt seem to be working.
Can you provide what you have done so far?
There are a few things I have done. I have tried creating my own rule and nothing was flagged. I have taken the rule that comes out of the box, and added an alert and nothing flags. I have edited the rule so that it also looks for a specific sig ID 43-263046110, and that generates a large number of false positives. I am using this sig ID because this is what is generated when there is a successful login to a domain server. When looking for correlation rule 47-4000012, I am not sure if it is looking for unique user ID's. Any help would be much appreciated.
I recently setup my own, and it works well. I have an alarm setup that will blacklist the offending IP at the McAfee IPS.
Group By: Source IP
NumEvents = 10
Normalization Rule In [Login]
Event Subtype (in) [failure]
UserIDSrc (in) [My Watchlist of accounts to look for]
Additional Filters: I have mine also filtering out internal sources and looking at specific servers in an internet facing DMZ.
Note: Your watchlist needs to contain the proper case. I have mine setup with mixed case, upper and lower. I have attached a copy of the ones I use, which are generic accounts I have often seen people try to use.
restricted_accounts.txt.zip 809 bytes