Forum Discussion
Suspected brute-force attack (Kerberos, NTLM) azure ATP
We have recently installed Azure ATP in few Servers. After that we are getting below alert from those Servers. "Suspected brute-force attack (Kerberos, NTLM) was detected in your company".
"An act...
EliOfek
As per your suggestion, i downloaded the excel file from portal, checked network activities.
It says that kerberos was used and Error reason is 'Pre-authentication failed', Destination Port: 88, Destination is a Domain Controller. Please check the attachment(Original details changed)
End point solution logs says that connection was initiated from the server(Server_A) to domain controller(DC00001) over port 88. At the same time the user tried to RDP to that server(Server_A), from his Computer, over port 3389, he was using mremote. But he never faced any error while login or any incorrect password error.
In case if there was a malware, how do i proceed for further investigation?
Can someone have any guide to check these attacks?