Suspected brute-force attack (Kerberos, NTLM) azure ATP

%3CLINGO-SUB%20id%3D%22lingo-sub-1546603%22%20slang%3D%22en-US%22%3ESuspected%20brute-force%20attack%20(Kerberos%2C%20NTLM)%20azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1546603%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20recently%20installed%20Azure%20ATP%20in%20few%20Servers.%20After%20that%20we%20are%20getting%20below%20alert%20from%20those%20Servers.%3CBR%20%2F%3E%22Suspected%20brute-force%20attack%20(Kerberos%2C%20NTLM)%20was%20detected%20in%20your%20company%22.%3C%2FP%3E%3CP%3E%22An%20actor%20on%20%3CSERVER%20name%3D%22%22%3E%20generated%20a%20suspicious%20number%20of%20failed%20login%20attempts%20on%20%3CUSER%20name%3D%22%22%3E%22%3CBR%20%2F%3E%3CBR%20%2F%3EUpon%20checking%20with%20the%20user%2C%20we%20found%20that%20the%20user%20did%20logged%20in%20to%20that%20server%20at%20that%20mentioned%20time%20frame%2C%20but%20did%20not%20come%20across%20any%20login%20issue%20at%20that%20time.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20anybody%20assist%20how%20to%20proceed%20for%20such%20alerts%3F%3C%2FUSER%3E%3C%2FSERVER%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1546603%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20atp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20ATP%20Sensor%20Installation%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1547693%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20brute-force%20attack%20(Kerberos%2C%20NTLM)%20azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1547693%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F740269%22%20target%3D%22_blank%22%3E%40ghoshd9874%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20a%20malware%20was%20running%20on%20this%20endpoint%2C%20the%20user%20might%20not%20have%20been%20aware%20about%20the%20failures.%3C%2FP%3E%0A%3CP%3EI%20suggest%20to%20export%20the%20alert%20from%20the%20portal%20to%20excel%2C%20and%20check%20the%20details%20of%20the%20network%20activities%20that%20triggered%20it%2C%20check%20out%20which%20protocols%20were%20used%20and%20against%20which%20resources%2C%20maybe%20it%20will%20get%20a%20clue.%3C%2FP%3E%0A%3CP%3EWhat%20about%20the%20security%20log%20on%20the%20endpoint%3F%20anything%20there%20from%20this%20time%20frame%3F%3CBR%20%2F%3Edo%20you%20have%20defender%20on%20this%20machine%3F%20maybe%20defender%20noticed%20something%20off%20on%20this%20machine%20during%20this%20time%20frame%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552573%22%20slang%3D%22en-US%22%3ERe%3A%20Suspected%20brute-force%20attack%20(Kerberos%2C%20NTLM)%20azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EAs%20per%20your%20suggestion%2C%20i%20downloaded%20the%20excel%20file%20from%20portal%2C%20checked%20network%20activities.%26nbsp%3B%3CBR%20%2F%3EIt%20says%20that%20kerberos%20was%20used%20and%20Error%20reason%20is%20'Pre-authentication%20failed'%2C%20Destination%20Port%3A%2088%2C%20Destination%20is%20a%20Domain%20Controller.%20Please%20check%20the%20attachment(Original%20details%20changed)%3CBR%20%2F%3E%3CBR%20%2F%3EEnd%20point%20solution%20logs%20says%20that%20connection%20was%20initiated%20from%20the%20server(Server_A)%20to%20domain%20controller(DC00001)%20over%20port%2088.%26nbsp%3B%20At%20the%20same%20time%20the%20user%20tried%20to%20RDP%20to%20that%20server(Server_A)%2C%20from%20his%20Computer%2C%20over%20port%203389%2C%20he%20was%20using%20mremote.%20But%20he%20never%20faced%20any%20error%20while%20login%20or%20any%20incorrect%20password%20error.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20case%20if%20there%20was%20a%20malware%2C%20how%20do%20i%20proceed%20for%20further%20investigation%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We have recently installed Azure ATP in few Servers. After that we are getting below alert from those Servers.
"Suspected brute-force attack (Kerberos, NTLM) was detected in your company".

"An actor on <Server name/IP> generated a suspicious number of failed login attempts on <User name>"

Upon checking with the user, we found that the user did logged in to that server at that mentioned time frame, but did not come across any login issue at that time. 

Can anybody assist how to proceed for such alerts?

2 Replies
Highlighted

@ghoshd9874 

If a malware was running on this endpoint, the user might not have been aware about the failures.

I suggest to export the alert from the portal to excel, and check the details of the network activities that triggered it, check out which protocols were used and against which resources, maybe it will get a clue.

What about the security log on the endpoint? anything there from this time frame?
do you have defender on this machine? maybe defender noticed something off on this machine during this time frame ?

Highlighted

@Eli Ofek 
As per your suggestion, i downloaded the excel file from portal, checked network activities. 
It says that kerberos was used and Error reason is 'Pre-authentication failed', Destination Port: 88, Destination is a Domain Controller. Please check the attachment(Original details changed)

End point solution logs says that connection was initiated from the server(Server_A) to domain controller(DC00001) over port 88.  At the same time the user tried to RDP to that server(Server_A), from his Computer, over port 3389, he was using mremote. But he never faced any error while login or any incorrect password error. 

In case if there was a malware, how do i proceed for further investigation?