Forum Discussion
Suspected brute-force attack (Kerberos, NTLM) azure ATP
MicrosoftIf a malware was running on this endpoint, the user might not have been aware about the failures.
I suggest to export the alert from the portal to excel, and check the details of the network activities that triggered it, check out which protocols were used and against which resources, maybe it will get a clue.
What about the security log on the endpoint? anything there from this time frame?
do you have defender on this machine? maybe defender noticed something off on this machine during this time frame ?
EliOfek
As per your suggestion, i downloaded the excel file from portal, checked network activities.
It says that kerberos was used and Error reason is 'Pre-authentication failed', Destination Port: 88, Destination is a Domain Controller. Please check the attachment(Original details changed)
End point solution logs says that connection was initiated from the server(Server_A) to domain controller(DC00001) over port 88. At the same time the user tried to RDP to that server(Server_A), from his Computer, over port 3389, he was using mremote. But he never faced any error while login or any incorrect password error.
In case if there was a malware, how do i proceed for further investigation?- Can someone have any guide to check these attacks?
