What are the top accounts which hackers use for brute-force attacks? We also need to change the time period to check back for as long as we have data in order to achieve the maximum sample data. Type=SecurityEvent AccountType=user EventID=4625 | measure count() as Failed by Account On the Security and Audit section we see the following information indicating a large number of attempt for accounts to authentication in the last 24 hours.ĭrilling into the solution provides more details as shown below.Īnd a further drill into the Identity and Access section provides great additional detail as shown below.įor more details on the Security and Auditing solution see: įrom this point we can further drill in and gather details of all failed logon attempts to the system(s) in question using this query: Now that we have a system reporting to OMS and we have added the “Security and Audit” solution we can log into OMS and take a look around (after waiting a long enough period of time for the system to be found and for people to attempt to go after it). What does the security and audit solution look like in OMS? Next we installed the OMS agent as a direct connected agent ( and we added the “Security and Audit” solution.įinally we set up a server with Minecraft installed, started Minecraft (and configured it to re-start on reboot) and publicly listed the IP address of the Minecraft server.For that account we did not choose any of the default accounts, but rather we created a unique name and a unique (and strong) password. We restricted the RDP connection to only allow a single account to have access to log on.Details are available at: (v=ws.10).aspx#BKMK_1 For group policy we needed to turn on failed logon in group policy.To setup our honeypot system we needed to configure Group Policy (so we would see logon failures), add the OMS agent and the Security and Audit solution, and configure an application on the server to make it attractive to attackers.
To do this we configured a honeypot server with the proper level of auditing, combined with a hard to randomly guess user account and password, and integrated with Microsoft OMS ( This blog post will review:
My son (who you may remember from our video on Operations Manager, Live Maps & Kinect) and I teamed up again recently to gather information on what accounts hackers are using when attempting to brute force attack systems.