Detect Username Guessing Brute Force Attacks

The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 accounts.

This first checks for all accounts having an account login failure of 4 or more, it then checks for the quantity of accounts that have failed by 4 or more (5 in the below example). So if someone attempts to login with 4 or more different passwords unsuccessfully on 5 or more accounts, the alarm will trip.

 

Share This:

Comments

  1. John

    I like it, but these are the modifications I made to resolve some issues I had and output more information about the accounts involved. Cleans up the time also.

    sourcetype=wineventlog EventCode=4625 OR EventCode=4624
    | bin _time span=5m as minute
    | stats count(Keywords) as Attempts,
    count(eval(match(Keywords,”Audit Failure”))) as Failed,
    count(eval(match(Keywords,”Audit Success”))) as Success by minute user
    | where Failed>=4
    |stats values(user) AS userlist dc(user) AS Total BY minute
    | where Total>5
    | eval minute=strftime(minute,”%m/%d/%y %H:%M:%S”)

Leave A Comment?