Sep 14 2018 05:57 AM
Since 3 days ago we have an entity in Azure ATP called WORKSTATION that has the tag Unresolved (This user/computer/group was not synced from the domain, and was partially resolved via a global catalog. Some attributes are not available). When checking the entity's timeline activites there are multiple logon failed attempts using a wrong password from random users. There is also a failed attempt from a non existent domain account. Does anyone have any ideas where did this appeared and how can I investigate this (get to the bottom of this)?
Sep 14 2018 12:32 PM
what do you mean by "partially resolved via a global catalog" ?
Usually when an entity is resolved from AD it's fully resolved, and if it's partial, we don't get info from AD at all.
Sep 16 2018 06:18 PM - edited Sep 16 2018 06:25 PM
Hi Christian,
We had something similar from "MSTSC" - hopefully the details below will help you identify things further? The process followed was:
On the specific Domain Controller that is being targeted - use the following:
https://support.microsoft.com/en-au/help/109626/enabling-debug-logging-for-the-netlogon-service
Enable:
Nltest /DBFlag:1004
net stop netlogon
net start netlogon
Disable:
Nltest /DBFlag:0x0
net stop netlogon
net start netlogon
The value of 1004 should focus on:
#define NL_LOGON 0x00000004 // Logon processing
#define NL_SERVER_SESS 0x00001000 // Server session maintenance
(more details at the bottom of that KB Article)
Log files end up in %windir%\debug\netlogon.log
From this we were able to identify the specific machine that was being used to attempt to login via the RDP Client - hence the use of MSTSC.exe in the Azure ATP logs - and then backtrack from there. We did make the comment in feedback to the Azure ATP team that it seemed strange that this wasn't flagged as an RDP login in the first place...? I'm guessing what you might be seeing is a connection via the Workstation service perhaps?
Hope that helps