Event Logs for Remote Share BruteForce

Question

This command is used to access remote shares.

net use \10.31.247.2\share /user:admin password

Is there any way to detect(EventLogs/other tools) if someone is trying to BruteForce into a remote system using this method? A wrong password does not produce any Event Logs on the remote system.

Is there any other method for accessing remote shares which will produce an EventLog on the system being BruteForced?

Answer 1

Yes it does. Look in the security log on the 10.31.247.2 (if workgroup server), or on the PDC Emulator (if domain joined).

This will produce either a failure audit event 675 (win2003) or a failure audit with an eventID between 4768 an 4771, try to filter your security logs.