Share via

Brute force incident registered on Microsoft 365 Defender

David Marques 41 Reputation points
2021-10-07T15:50:57.777+00:00

Hi,

I need some help clarifying some Logs I'm looking at.
I got an incident registered on Microsoft 365 Defender, which the source is Endpoint and the incident description is: Successful logon from known brute-force source on one endpoint.

So I got the investigation package from the machine and found out looking at the Logs that there is a Brute Force attempt, which was successful on one user, from an external IP, which is not even the user which is using the machine usually.
I also got the security log from the machine itself and can see the event ID 4624 on the domain user, with logon type 3 (network logon), from the external IP.
So my question is, being the logon from an external IP, what are the possible circumstances that an external IP is doing a brute force on a specific machine on my network?
Does this mean that this machine is compromised and being used for lateral movement?
Or any other plausible explanation for a network logon being done from an external IP?

Thanks

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Reza-Ameri 17,341 Reputation points Volunteer Moderator
    2021-10-07T16:57:00.603+00:00

    Attackers are using multiple ways , sometimes they just run a scan and perform a brute force and sometimes it is intentional attack meaning they are looking for a way to attack your company. I advise you to reset the password for the client and enforce using strong password. Use the Microsoft 365 Defender and investigate logs for clients and see if there is any other incident. Perform a full scan on the device and check security configuration for the device, M365 Defender will detect and report any other abnormal incident. You may block the IP in the firewall or even block the IP range and investigate it more.
    Take a look at:
    https://learn.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts

  2. Limitless Technology 39,931 Reputation points
    2021-10-08T13:54:18.473+00:00

    Hello David Marques,

    Indeed seems a very unusual event. I would like to clarify that a Network Logon is very different from a Brute Force attach since the context is not interactive and the credentials are inherited from the session, in opposition with an Interactive bruteforce where there is an specific trial/error.

    About the Logon type 3: Commonly it appears when connecting to shared resources (shared folders, printers etc.) and not to the system itself. The connection with logon type = 3 could be established even from a local computer.

    In this case I would suspect from a user trying to access an incorrect network resource (likely a shared folder or printer) where doesn't have permissions, or with incorrect credentials logged on its system.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  3. David Marques 41 Reputation points
    2021-10-12T10:52:58.623+00:00

    Hi Limitless-Technology-2700,

    Thanks for the reply.
    I understand that Logon type 3: Commonly it appears when connecting to shared resources (shared folders, printers etc.) and not to the system itself. The connection with logon type = 3 could be established even from a local computer.

    But then it's really really odd that the event has a source IP coming from the internet, right?
    The log looks like this:
    139800-screenshot-1.png

    So you can see the Account Name in this case is: Operador, but the log contains dozens of other accounts.
    And on the Source Network Address we have an external IP.

    So what I'm trying to figure out here is how does an external connection requests logons of type 3.

    Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.