Forum Discussion

ECuadra's avatar
ECuadra
Copper Contributor
Nov 28, 2019

Explanation about this Azure ATP alert on Domain Controller

Hello,

I have checked this alert in Azure ATP timeline. For privacy, I have changed the domain and DC names: 

non-existing account MYDOMAIN\SYSTEM attempted to logon | using Ntlm | against DC01013

 

Could someone give me a clear idea what it means? Basically, it is not possible to use an account called "system" in the domain. This kind of account is most commonly found on the local machine.

 

 

  • Matthias_VDB's avatar
    Matthias_VDB
    Iron Contributor

    I guess this means someone tried to logon with the account domain\system on your domain controller...

    Important to analyze this, would be, how many times did this event occur and from where was the logon attempt originating.

    It can be someone is just checking if that account exists in your domain, or someone who just mistyped...

    All relates to the other events...

    But that's my opinion 😉

Resources