FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
rduggal_FTNT
Staff
Staff
Article Id 361030
Description This article describes the process to successfully detect Brute Force attempts in the protected environment and block lateral movement.
Scope Applies to both On prem and cloud FortiEDR environments.
Solution

Detecting a Brute-Force Attack with Event Logs:

 

Imagine an attacker attempting a brute-force attack after successful reconnaissance of open known ports like RDP, SSH, NTML etc. which can be leveraged for Brute Force attempts. The following event log details would be crucial for detection and take required actions to block access from attacker source to Victim on the Firewall.

 

Event ID 4625 (Windows): Multiple failed login attempts can indicate the brute-force attempt.

Event ID 4648 (Windows): Successful logon using explicit credentials, signaling potential compromise.

 

Status Codes            Description

0xC0000064              username does not exist

0xC000006A             username is correct but the password is wrong

 

Note: The information above is useful to perform forensics and take necessary actions.

 

  1. Configure a TH Collection profile with log enabled and assign collector groups to it.

Untitled1.png

 

  1. Go to Threat Hunting -> Create a TH query with EventLog.EventID: 4625 -> Schedule Query -> Assign Classification as Malicious or Suspicious -> Repeat every 15 minutes and Save it.

 

Untitled2.png

 

Untitled3.png

 

  1. Now, the query is going to run every 15 minutes, and if any such attempts within the network are detected, the query will raise an alert.

     

Untitled.png

 

  1. Select the event and select Threat Hunting, then look for the failure reason. If the code is 0xC0000064 or 0xC000006A with multiple attempts, it confirms a Brute Force attack attempt.

 

Untitled.png

 

  1. Block access on the firewall from the source IP or IP's learned from the Threat Hunting.

 

If there are still any problems encountered, open a new technical support ticket for further assistance: Support Fortinet.