Question regarding Brute Force (NTLM/Kerberos/LDAP) and Account Enumeration

Copper Contributor

Hi everyone,

 

The alerts we get the most from our customers are related to MDI.

  • "Suspected Brute Force Attack (NTLM/Kerberos) or (LDAP)"
  • "Account Enumeration Reconnaissance"

Often, the alerts provide useful information, such as which computer initiated the attempts and which computers were targeted, along with details on the users involved and whether the logins were successful. However, they rarely explain the root cause of why these alerts are triggered or who the actor is. (e.g., "An actor on a computer performed...")

 

Scenario: Many of our Brute Force/Enumeration alerts come from internal endpoints attempting to access or enumerate other internal endpoints. When I check the most recent users and endpoints involved, I don’t find any malicious activity (the investigation and risk scores are low). This often leads me to believe that an application or misconfiguration may be causing these alerts. Does MDE provide visibility to help identify which application or misconfiguration is triggering these alerts?

 

I have only ever been able to successfully zero in on a application that caused the brute force attack using KQL. Unfortunately, most times I'm left scratching my head. When we discuss this with customers they aren't always sure, but they guess it could be their VPN or some other app.

 

Any thoughts or suggestion would be appreciated.

0 Replies