Explanation about this Azure ATP alert on Domain Controller

%3CLINGO-SUB%20id%3D%22lingo-sub-1038935%22%20slang%3D%22en-US%22%3EExplanation%20about%20this%20Azure%20ATP%20alert%20on%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1038935%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%3EHello%2C%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EI%20have%20checked%20this%20alert%20in%20Azure%20ATP%20timeline.%20For%20privacy%2C%20I%20have%20changed%20the%20domain%20and%20DC%20names%3A%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3E%3CFONT%3Enon-existing%20account%20MYDOMAIN%5CSYSTEM%20attempted%20to%20logon%20%7C%20using%20Ntlm%20%7C%20against%20DC01013%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ECould%20someone%20give%20me%20a%20clear%20idea%20what%20it%20means%3F%20Basically%2C%20it%20is%20not%20possible%20to%20use%20an%20account%20called%20%22system%22%20in%20the%20domain.%20This%20kind%20of%20account%20is%20most%20commonly%20found%20on%20the%20local%20machine.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1039192%22%20slang%3D%22en-US%22%3ERe%3A%20Explanation%20about%20this%20Azure%20ATP%20alert%20on%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1039192%22%20slang%3D%22en-US%22%3E%3CP%3EI%20guess%20this%20means%20someone%20tried%20to%20logon%20with%20the%20account%20domain%5Csystem%20on%20your%20domain%20controller...%3C%2FP%3E%3CP%3EImportant%20to%20analyze%20this%2C%20would%20be%2C%20how%20many%20times%20did%20this%20event%20occur%20and%20from%20where%20was%20the%20logon%20attempt%20originating.%3C%2FP%3E%3CP%3EIt%20can%20be%20someone%20is%20just%20checking%20if%20that%20account%20exists%20in%20your%20domain%2C%20or%20someone%20who%20just%20mistyped...%3C%2FP%3E%3CP%3EAll%20relates%20to%20the%20other%20events...%3C%2FP%3E%3CP%3EBut%20that's%20my%20opinion%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041159%22%20slang%3D%22en-US%22%3ERe%3A%20Explanation%20about%20this%20Azure%20ATP%20alert%20on%20Domain%20Controller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041159%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F465862%22%20target%3D%22_blank%22%3E%40ECuadra%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20will%20suggest%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-windows-event-collection%23ntlm-authentication-using-windows-event-8004%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eturn%20on%208004%20events%20on%20your%20domain%20controllers%3C%2FA%3E%2C%20so%20you%20will%20get%20the%20full%20information%20about%20the%20NTLM%20authentications.%20Once%20you%20will%20enable%20this%20event%20Azure%20ATP%20will%20show%20you%20what%20is%20the%20server%20the%20account%20is%20trying%20to%20access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,

I have checked this alert in Azure ATP timeline. For privacy, I have changed the domain and DC names: 

non-existing account MYDOMAIN\SYSTEM attempted to logon | using Ntlm | against DC01013

 

Could someone give me a clear idea what it means? Basically, it is not possible to use an account called "system" in the domain. This kind of account is most commonly found on the local machine.

 

 

2 Replies
Highlighted

I guess this means someone tried to logon with the account domain\system on your domain controller...

Important to analyze this, would be, how many times did this event occur and from where was the logon attempt originating.

It can be someone is just checking if that account exists in your domain, or someone who just mistyped...

All relates to the other events...

But that's my opinion ;)

Highlighted

Hi @ECuadra ,

 

I will suggest to turn on 8004 events on your domain controllers, so you will get the full information about the NTLM authentications. Once you will enable this event Azure ATP will show you what is the server the account is trying to access.

 

Thanks,

Tali