Detected attack against security hole

[katycomputersystems 1]

There was a threat reported against one of our workstations, the event is described as: "Detected attack against security hole"

The rule name is: "RDP/Exploit.EsteemAudit"

Does eset resolve this by blocking access from the offending IP address (5.101.6.170) ?

I am assuming this address tried to access the workstation with an incorrect password, if that's the case and eset blocks access from the evil doer, how many failed login attempts does eset allow before the remote address is blocked, can this parameter be changed in ERA?

[itman 1,627]

The NSA EsteemAudit exploit is targeted at Win XP and Server 2003 devices. Therefore I assume the workstation you are referring to has Win XP installed? If so, you need to verify that all your Win XP devices have applied the Microsoft OS patches against it. Here's a "deep dive" analysis of EsteemAudit: https://researchcenter.paloaltonetworks.com/2017/05/unit42-dissection-esteemaudit-windows-remote-desktop-exploit/ .

[katycomputersystems 1]

The workstation is running Windows 10 Pro version 10.0.16299

[itman 1,627]

1 hour ago, katycomputersystems said:

The workstation is running Windows 10 Pro version 10.0.16299

Eset IDS detected the exploit attempt although Win 10 is not vulnerable to it. So the exploit would be blocked at the network level. And yes, it would have blocked the incoming connection attempt from IP address, 5.101.6.170, if that was the origin point. I believe the detection is done by DNA signature/behavior analysis that will match patterns displayed within the exploit itself.

The question that remains is why was it not blocked by your server before it entered the network? The problem is the attacker was able to gain access to your server it appears.

Edited February 16, 2018 by itman