Description | This article describes the process to successfully detect Brute Force attempts in the protected environment and block lateral movement. |
Scope | Applies to both On prem and cloud FortiEDR environments. |
Solution |
Detecting a Brute-Force Attack with Event Logs:
Imagine an attacker attempting a brute-force attack after successful reconnaissance of open known ports like RDP, SSH, NTML etc. which can be leveraged for Brute Force attempts. The following event log details would be crucial for detection and take required actions to block access from attacker source to Victim on the Firewall.
Event ID 4625 (Windows): Multiple failed login attempts can indicate the brute-force attempt. Event ID 4648 (Windows): Successful logon using explicit credentials, signaling potential compromise.
Status Codes Description 0xC0000064 username does not exist 0xC000006A username is correct but the password is wrong
Note: The information above is useful to perform forensics and take necessary actions.
If there are still any problems encountered, open a new technical support ticket for further assistance: Support Fortinet. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.