• State Suggested Answer
  • Replies 2 replies
  • Answers 2 answers
  • Subscribers 14 subscribers
  • Views 2595 views
  • Users 0 members are here
Options
Related

Is there a way to get Password Spraying alert in InTrust to see devices instead of the domain controllers?

curtis.wilson
over 4 years ago

Trying to setup Password Spraying but it looks like it is only showing the IP of the Domain Controller.    Of course the domain controller is going to send this alert.  We want to catch computers trying to password spray not domain controller failed logins that feature has been available for years.

Parents
  • 0 over 4 years ago

    Hi Curtis,

    Sorry for delay. I also tried the rule. On one of member servers I emulated a malicious activity by trying to run a process under a number of existing users, and with a bad password. I've got the following email:

    InTrust Major alert - Potential password spraying (multiple failed logons for valid accounts) from ::ffff:10.10.12.96.

    There were at least 15 failed logons for valid accounts from source address ::ffff:10.10.12.96 within 60 seconds.
    The list of account names: Dummy.User1, Dummy.User2, Dummy.User3, Dummy.User4, Dummy.User5, Dummy.User6, Dummy.User7, Dummy.User8, Dummy.User9, Dummy.User10, Dummy.User11, Dummy.User12, Dummy.User13, Dummy.User14, Dummy.User15.

    Alert was generated on computer <DC name>.
    Alert was generated at Tue Feb 11 18:46:59 2020 (Tue Feb 11 10:46:59 2020 GMT).

    Yes, the alert comes from the DC, but the address 10.10.12.96 corresponds to the device where the malicious activity's happened. So please clarify your conditions, and what do you expect, let's try to tune the rule in you environment.

Reply
  • 0 over 4 years ago

    Hi Curtis,

    Sorry for delay. I also tried the rule. On one of member servers I emulated a malicious activity by trying to run a process under a number of existing users, and with a bad password. I've got the following email:

    InTrust Major alert - Potential password spraying (multiple failed logons for valid accounts) from ::ffff:10.10.12.96.

    There were at least 15 failed logons for valid accounts from source address ::ffff:10.10.12.96 within 60 seconds.
    The list of account names: Dummy.User1, Dummy.User2, Dummy.User3, Dummy.User4, Dummy.User5, Dummy.User6, Dummy.User7, Dummy.User8, Dummy.User9, Dummy.User10, Dummy.User11, Dummy.User12, Dummy.User13, Dummy.User14, Dummy.User15.

    Alert was generated on computer <DC name>.
    Alert was generated at Tue Feb 11 18:46:59 2020 (Tue Feb 11 10:46:59 2020 GMT).

    Yes, the alert comes from the DC, but the address 10.10.12.96 corresponds to the device where the malicious activity's happened. So please clarify your conditions, and what do you expect, let's try to tune the rule in you environment.

Children
No Data