ESET Failed to Detect RDP Brute Force Attack

[Tom Ford 0]

While debugging my network (for completely unrelated reasons) I pulled the syslog from my network firewall (Unifi USG) only to notice repeated RDP connections to one of my local machines.  The attacker's / attackers' IPs bounced around with locations ranging from Panama to Kentucky.  I enabled authentication auditing on the target machine and saw successive login failures with usernames PSMITH, PMILLER, PJOHNSON, PJONES, etc.

I have blocked the various subnets of the attacker(s) in my network firewall.

On the target machine my ESET firewall is enabled.  ESET options including Network Attack Protection / IDS is enabled, Intrustion Detection / Protocol RDP is enabled...

My question is, why didn't ESET detect this attempted intrusion?  After what I can only imagine is thousands of failed RDP login attempts?  Is there some setting that I missed?

It seems to me that this is a fairly obvious attack to be missed...  Even my FTP server will automatically blacklist an IP after a certain number of failed login attempts.

[Marcos 5,070]

We don't have a functionality to protect from RDP brute-force attacks. There are other 3rd party solutions like RDS-Knight aimed at protecting RDP. Users can also protect from brute-force attacks by setting an account lockout policy in Windows.

[itman 1,659]

Per below, Eset's IDS RDP protection applies to known vulnerabilities; i.e. CVE's, in the protocol. It also should not be relied upon to the determent of Win OS patches. These should always be applied when Issued by Microsoft:

Quote

Intrusion detection

•Protocol SMB – Detects and blocks various security problems in SMB protocol, namely:

•Rogue server challenge attack authentication detection – Protects against an attack that uses a rogue challenge during authentication in order to obtain user credentials.

•IDS evasion during named pipe opening detection – Detection of known evasion techniques used for opening MSRPCS named pipes in SMB protocol.

•CVE detections (Common Vulnerabilities and Exposures) – Implemented detection methods of various attacks, forms, security holes and exploits over SMB protocol. Please see the CVE website at cve.mitre.org to search and obtain more detailed info about CVE identifiers (CVEs).

•Protocol RPC –  Detects and blocks various CVEs in the remote procedure call system developed for the Distributed Computing Environment (DCE).

•Protocol RDP –  Detects and blocks various CVEs in the RDP protocol (see above).

https://help.eset.com/ees/7/en-US/idh_config_epfw_network_attack_protection.html?idh_config_epfw_advanced_settings.html

Edited August 28, 2019 by itman

[itman 1,659]

This query: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=brute+force+rdp on the Mitre web site yields 440 CVE's; all related to specific device or OS brute-force password vulnerabilities. Unfortunately, Mitre doesn't classify RDP overall as a vulnerability as I do.

Edited August 28, 2019 by itman

[Tom Ford 0]

Thanks for the info, guys.  Wow, I'm surprised that this isn't something included in ESET.  Just seems a bit weird to me, since it detects port scanning and other unusual network traffic...  Mind kinda blown, really.

I don't think a lockout policy would help with this particular attack.  It looks like credential stuffing, and I haven't seen the same account name attempted twice, although they may circle back through.

I'll look for alternate solutions.  I don't think this is particular to RDP, though.  Multiple brief connections from IPs across the globe looks suspicious to me, regardless of the port and the attached service.