Forum Discussion

ghoshd9874's avatar
ghoshd9874
Copper Contributor
Jul 26, 2020

Suspected brute-force attack (Kerberos, NTLM) azure ATP

We have recently installed Azure ATP in few Servers. After that we are getting below alert from those Servers.
"Suspected brute-force attack (Kerberos, NTLM) was detected in your company".

"An actor on <Server name/IP> generated a suspicious number of failed login attempts on <User name>"

Upon checking with the user, we found that the user did logged in to that server at that mentioned time frame, but did not come across any login issue at that time. 

Can anybody assist how to proceed for such alerts?

Sensor

4 Replies

  • AlexCherFS's avatar
    AlexCherFS
    Copper Contributor
    Nov 23, 2022
    Curious if you were able to make progress with this? Seeing similar alerts from an Exchange server with suspected brute-force to many accounts. Wondering if it's a false positive since Exchange server would generate failed login alert whenever anyone would fail to login from remote devices too. Thoughts?
  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jul 27, 2020

    ghoshd9874 

    If a malware was running on this endpoint, the user might not have been aware about the failures.

    I suggest to export the alert from the portal to excel, and check the details of the network activities that triggered it, check out which protocols were used and against which resources, maybe it will get a clue.

    What about the security log on the endpoint? anything there from this time frame?
    do you have defender on this machine? maybe defender noticed something off on this machine during this time frame ?

    • ghoshd9874's avatar
      ghoshd9874
      Copper Contributor
      Jul 29, 2020

      EliOfek 
      As per your suggestion, i downloaded the excel file from portal, checked network activities. 
      It says that kerberos was used and Error reason is 'Pre-authentication failed', Destination Port: 88, Destination is a Domain Controller. Please check the attachment(Original details changed)

      End point solution logs says that connection was initiated from the server(Server_A) to domain controller(DC00001) over port 88.  At the same time the user tried to RDP to that server(Server_A), from his Computer, over port 3389, he was using mremote. But he never faced any error while login or any incorrect password error. 

      In case if there was a malware, how do i proceed for further investigation?

Resources