Explanation about this Azure ATP alert on Domain Controller

ECuadra · ‎Nov 28 2019

Hello,

I have checked this alert in Azure ATP timeline. For privacy, I have changed the domain and DC names:

non-existing account MYDOMAIN\SYSTEM attempted to logon | using Ntlm | against DC01013

Could someone give me a clear idea what it means? Basically, it is not possible to use an account called "system" in the domain. This kind of account is most commonly found on the local machine.

Matthias Vandenberghe · ‎Nov 28 2019

I guess this means someone tried to logon with the account domain\system on your domain controller...

Important to analyze this, would be, how many times did this event occur and from where was the logon attempt originating.

It can be someone is just checking if that account exists in your domain, or someone who just mistyped...

All relates to the other events...

But that's my opinion ;)

Tali Ash · ‎Dec 01 2019

Hi @ECuadra ,

I will suggest to turn on 8004 events on your domain controllers, so you will get the full information about the NTLM authentications. Once you will enable this event Azure ATP will show you what is the server the account is trying to access.

Thanks,

Tali

Explanation about this Azure ATP alert on Domain Controller

Explanation about this Azure ATP alert on Domain Controller

Re: Explanation about this Azure ATP alert on Domain Controller

Re: Explanation about this Azure ATP alert on Domain Controller

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Explanation about this Azure ATP alert on Domain Controller

Explanation about this Azure ATP alert on Domain Controller

Re: Explanation about this Azure ATP alert on Domain Controller

Re: Explanation about this Azure ATP alert on Domain Controller