What account names are used in brute force attacks? | Quisitive
What account names are used in brute force attacks?
March 23, 2016
Cameron Fuller
Father and son duo are back

My son (who you may remember from our video on Operations Manager, Live Maps & Kinect) and I teamed up again recently to gather information on what accounts hackers are using when attempting to brute force attack systems.

To do this we configured a honeypot server with the proper level of auditing, combined with a hard to randomly guess user account and password, and integrated with Microsoft OMS (www.microsoft.com/oms). This blog post will review:

  • How did we setup the honeypot system?
  • What does the security and audit system look like in OMS
  • A list of the top accounts for hackers to use for brute-force attacks

Configuring up our honeypot system

To setup our honeypot system we needed to configure Group Policy (so we would see logon failures), add the OMS agent and the Security and Audit solution, and configure an application on the server to make it attractive to attackers.

  1. For group policy we needed to turn on failed logon in group policy. Details are available at: https://technet.microsoft.com/en-us/library/cc787268(v=ws.10).aspx#BKMK_1
  2. We restricted the RDP connection to only allow a single account to have access to log on. For that account we did not choose any of the default accounts, but rather we created a unique name and a unique (and strong) password.
  3. Next we installed the OMS agent as a direct connected agent (www.microsoft.com/oms) and we added the “Security and Audit” solution.
  4. Finally we set up a server with Minecraft installed, started Minecraft (and configured it to re-start on reboot) and publicly listed the IP address of the Minecraft server. 

What does the security and audit solution look like in OMS?

Now that we have a system reporting to OMS and we have added the “Security and Audit” solution we can log into OMS and take a look around (after waiting a long enough period of time for the system to be found and for people to attempt to go after it). On the Security and Audit section we see the following information indicating a large number of attempt for accounts to authentication in the last 24 hours.

Drilling into the solution provides more details as shown below.

And a further drill into the Identity and Access section provides great additional detail as shown below.

For more details on the Security and Auditing solution see: https://blogs.technet.microsoft.com/systemcenter/2016/02/25/new-security-capabilities-in-operations-management-suite/

From this point we can further drill in and gather details of all failed logon attempts to the system(s) in question using this query:

Type=SecurityEvent AccountType=user EventID=4625 | measure count() as Failed by Account

We also need to change the time period to check back for as long as we have data in order to achieve the maximum sample data.

What are the top accounts which hackers use for brute-force attacks?

So, what are the top accounts which hackers are using for brute-force attacks? Here you go with the top just under 900 (exported from OMS using the Export option shown below).

\ETB User7
\SOF Server User1
\Remote Business1
\Group Sales1

The key take-a-ways I would recommend is not to allow any accounts with these names to be able to be accessed from the Internet, even with strong passwords assigned to the account. Definitely do not use administrator, admin or any variation of those from a capitalization perspective.

Summary: The best practice approach to not allow common account names to be allowed to be accessed by anything which could be accessed by the Internet still stands and the numbers above verify it. Having a valid account like “administrator” or “admin” which can be accessed gives the hackers half of what they need to get into your system through brute force methods. All they need to do next is brute-force attack that account until they find the correct password.

As you can see in this blog post, Microsoft OMS provides some excellent visualization for security including an easy way to identify what accounts have had a history of failed logons.