View Categories

Detecting a Brute-Force Attack with Argus

2 min read

Brute-force attacks are a frequent method used by attackers to gain unauthorized access by guessing login credentials. Services like SSH on Linux and RDP on Windows are especially vulnerable. Argus detects brute-force attacks by analyzing repeated authentication failures and generating alerts based on correlation rules.

This usecase demonstrates how Argus identifies brute-force attacks targeting RHEL (Linux) and Windows endpoints. It also provides steps to simulate and monitor such attacks.

Infrastructure

  1. Ubuntu 22.04:
    Acts as the attacker endpoint with an SSH client installed to simulate brute-force attacks.
  2. RHEL 9.0:
    Victim of an SSH brute-force attack, with SSH server enabled.
  3. Windows 11:
    Victim of an RDP brute-force attack, with RDP enabled.

Configuration and Attack Simulation

1. Setup the Attacker Endpoint (Ubuntu)

  1. Update the package list and install Hydra (a tool for brute-force attack simulation):
  1. Prepare a password list:
    Create a text file containing 10 random passwords for testing.

2. Execute Brute-Force Attacks

  1. Targeting RHEL (SSH):
    Replace <RHEL_IP> with the IP address of the RHEL endpoint and run:
  1. Targeting Windows (RDP):
    Replace <WINDOWS_IP> with the IP address of the Windows endpoint and run:

Visualizing Alerts

After the attacks, Argus generates alerts that you can view in the Threat Hunting module on the Argus dashboard. Apply the following filters to analyze the alerts:

  • Linux (SSH) Rules: rule.id:(5551 OR 5712)
    Additional related rules: 5710, 5711, 5716, 5720, 5503, 5504.
  • Windows – rule.id:(60122 OR 60204)

Use these alerts to understand attack patterns and identify potential threats.

Summary

This usecase demonstrates how Argus monitors and detects brute-force attacks. By simulating attacks with tools like Hydra, you can test Argus’s ability to generate alerts and take active responses, such as blocking the attacker’s IP. This process ensures that your endpoints remain secure against unauthorized access attempts.

Leave a Reply

Your email address will not be published. Required fields are marked *