SEC - Endpoint Protection - Test-BruteForceAttack
Overview
Basic detection of a brute force attack on an endpoint.
Requirements
This script should be scheduled to run periodically on an endpoint.
Process
- Sets up a history so it remembers its last run date.
- Queries the security log for any login failures since its last run.
- Determines if output is going to a file; if so, outputs the found items to the desired file and file type.
- Counts how many failed logins are found.
- If the count is higher than the threshold, it returns true; otherwise, it returns false.
How does the content operate and accomplish the goal?
Payload Usage
Test-BruteForceAttack.ps1 -Threshold 25
This command queries the event log from the last time it ran to the current time, counts the instances of failed logins, and alerts if there are more than 25.
Test-BruteForceAttack.ps1 -Threshold 25 -outfile "C:/temp/test.csv"
This command queries the event log from the last time it ran to the current time, counts the instances of failed logins, alerts if there are more than 25, and outputs the found events to a CSV file.
Parameters
| Parameter | Alias | Required | Default | Type | Description |
|---|---|---|---|---|---|
-Threshold | False | 25 | Int | This designates the threshold of found items; if the number of found failed login events is greater than the threshold value, it triggers a true response; otherwise, it will trigger false. | |
-OutFile | False | String | This designates that an output of the found failed login items should be sent to a file. The default file type is .json, but the script accepts file types of .txt, .xml, .csv, and .json for exports. |
Output
- If
-Outfileis not provided: Boolean - If
-Outfileis provided: Boolean and file. - Example log file:
.//Test-BruteForceAttack.ps1-log.txt
Locations
| Payload | /repo/scripts/Test-BruteForceAttack.ps1 |
|---|---|
| Automate | |
| ConnectWise RMM | |
| Kaseya | |
| Datto RMM |