cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspected brute-force attack (Kerberos, NTLM) azure ATP

ghoshd9874
Copper Contributor

‎Jul 26 2020 08:22 AM - last edited on ‎Nov 30 2021 01:58 PM by

‎Jul 26 2020 08:22 AM - last edited on ‎Nov 30 2021 01:58 PM by

Suspected brute-force attack (Kerberos, NTLM) azure ATP

We have recently installed Azure ATP in few Servers. After that we are getting below alert from those Servers.
"Suspected brute-force attack (Kerberos, NTLM) was detected in your company".

"An actor on <Server name/IP> generated a suspicious number of failed login attempts on <User name>"

Upon checking with the user, we found that the user did logged in to that server at that mentioned time frame, but did not come across any login issue at that time. 

Can anybody assist how to proceed for such alerts?

Labels:
15.6K Views
0 Likes
4 Replies
Reply
4 Replies
Eli Ofek

‎Jul 27 2020 05:50 AM

‎Jul 27 2020 05:50 AM

Re: Suspected brute-force attack (Kerberos, NTLM) azure ATP

@ghoshd9874 

If a malware was running on this endpoint, the user might not have been aware about the failures.

I suggest to export the alert from the portal to excel, and check the details of the network activities that triggered it, check out which protocols were used and against which resources, maybe it will get a clue.

What about the security log on the endpoint? anything there from this time frame?
do you have defender on this machine? maybe defender noticed something off on this machine during this time frame ?

1 Like
Reply
ghoshd9874

‎Jul 29 2020 02:31 AM

‎Jul 29 2020 02:31 AM

Re: Suspected brute-force attack (Kerberos, NTLM) azure ATP

@Eli Ofek 
As per your suggestion, i downloaded the excel file from portal, checked network activities. 
It says that kerberos was used and Error reason is 'Pre-authentication failed', Destination Port: 88, Destination is a Domain Controller. Please check the attachment(Original details changed)

End point solution logs says that connection was initiated from the server(Server_A) to domain controller(DC00001) over port 88.  At the same time the user tried to RDP to that server(Server_A), from his Computer, over port 3389, he was using mremote. But he never faced any error while login or any incorrect password error. 

In case if there was a malware, how do i proceed for further investigation?

Preview file
15 KB
0 Likes
Reply
AusSupport180

‎Mar 10 2022 05:49 PM

‎Mar 10 2022 05:49 PM

Re: Suspected brute-force attack (Kerberos, NTLM) azure ATP

Can someone have any guide to check these attacks?
0 Likes
Reply
AlexCherFS

‎Nov 23 2022 10:48 AM

‎Nov 23 2022 10:48 AM

Re: Suspected brute-force attack (Kerberos, NTLM) azure ATP

Curious if you were able to make progress with this? Seeing similar alerts from an Exchange server with suspected brute-force to many accounts. Wondering if it's a false positive since Exchange server would generate failed login alert whenever anyone would fail to login from remote devices too. Thoughts?
0 Likes
Reply