DCs Brute Force attack

%3CLINGO-SUB%20id%3D%22lingo-sub-2652175%22%20slang%3D%22en-US%22%3EDCs%20Brute%20Force%20attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2652175%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20having%20the%20time%20of%20reading%20my%20email.%20We%20are%20going%20through%20a%20Brute-Force%20attack%20directly%20to%20our%20DCs.%20The%20attackers%20have%20been%20able%20to%20access%20to%2040%20user%20accounts%20and%20they%20are%20trying%20with%20multiple%20passwords%20against%20out%20DCs.%20We%20are%20assuming%20that%20they%20must%20be%20on%20our%20network%20or%20through%20our%20VPN.%20Our%20tools%20are%20DEP%2C%20MCAS%2C%20AzureSentinel%20and%20we%20are%20not%20able%20to%20see%20the%20source%20IP.%20We%20can%20only%20see%20the%20Device%20ID%20and%20they%20are%20actually%20trying%20from%20different%20PCs%20and%20surprisingly%20these%20PCs%20have%20the%20same%20ID%20but%20the%20IPs%20are%20not%20displayed.%20I%20was%20wandering%20if%20any%20of%20you%20would%20have%20a%20suggestion%20on%20how%20to%20stop%20this%20attack.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20in%20advance%20for%20your%20help.%26nbsp%3B%3C%2FP%3E%3CP%3ETomas%20Gonzales.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2652618%22%20slang%3D%22en-US%22%3ERe%3A%20DCs%20Brute%20Force%20attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2652618%22%20slang%3D%22en-US%22%3EIn%20the%20first%20place%2C%20I%20would%20try%20to%20determine%20how%20and%20where%20the%20attacks%20are%20coming%20from.%20Especially%20how%20the%20attackers%20got%20into%20your%20network.%20As%20long%20as%20this%20is%20not%20known%2C%20it%20makes%20no%20sense%20to%20try%20to%20stop%20the%20attack%2C%20because%20the%20attack%20can%20be%20started%20again%20at%20any%20time.%20Start%20insolating%20the%20client%20systems%20and%20try%20to%20clean%20them%20up.%20For%20example%2C%20use%20a%20boot%20CD%20to%20perform%20the%20scan%20independently%20of%20the%20operating%20system.%3CBR%20%2F%3EThere%20are%20so%20many%20steps%20that%20need%20to%20be%20taken%2C%20unfortunately%20it%20is%20not%20possible%20to%20list%20everything%20here.%20Good%20luck!%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi All. 

 

Thank you for having the time of reading my email. We are going through a Brute-Force attack directly to our DCs. The attackers have been able to access to 40 user accounts and they are trying with multiple passwords against out DCs. We are assuming that they must be on our network or through our VPN. Our tools are DEP, MCAS, AzureSentinel and we are not able to see the source IP. We can only see the Device ID and they are actually trying from different PCs and surprisingly these PCs have the same ID but the IPs are not displayed. I was wandering if any of you would have a suggestion on how to stop this attack. 

 

Thank you very much in advance for your help. 

Tomas Gonzales.  

1 Reply
In the first place, I would try to determine how and where the attacks are coming from. Especially how the attackers got into your network. As long as this is not known, it makes no sense to try to stop the attack, because the attack can be started again at any time. Start insolating the client systems and try to clean them up. For example, use a boot CD to perform the scan independently of the operating system.
There are so many steps that need to be taken, unfortunately it is not possible to list everything here. Good luck!