Detect real source brute force attacker

Question

Detect real source brute force attacker

Andrea 276

Hello to all,
I hope in your support for a problem that I have encountered on these days, I have a DC windows 2012R2 server from where I received random notifications (I was configured task notificatin of failed login attempts 4776 and lock account), going to see the logs I see that the Source Workstation always changes with random names thus defeating any attempt to identify the source machine.

No server is exposed on the Internet so the attack is certainly from the internal network but how do you think it is possible to identify the real IP address of the attacker?

Thank you!
Andrew

Accepted answer

3 additional answers

Your answer

Answer 1

4776 is for NTLM authentication. Unless the attempt is directly made against the domain controller, you will not see the event 4625 with the source IP on your DCs. You will see the event on the server being "attacked". And since you don't have the info in the 4776... You need more data :) And you can get that data by enabling the NTLM auditing (you can follow this procedure to enable it on your DCs: https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#event-id-8004). Once this is on, you will get an event 8004 in the NTLM/Operational event log with the the name of the server being attacked.

Answer 2

Hello @Anonymous

If the login attempt is done using computer account, there is the likeliness to be a multi distributed attack or malware spread through the network.

I would recommend update security signatures to latest on some of the Source Workstation detected, to try and identify the attack source.

If nothing is reported in the scans, I would recommend to report it at Microsoft Security Response Center

https://www.microsoft.com/en-us/msrc

Hope this helps with your query,

-------
--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

MotoX80 36,291

Do you see any event id 4625's? If not, you may need to modify your audit policies.

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Answer 4

Andrea 276

Thank you for your answers, I've enabled NTLM auditing but attacker no longer presence on server event logs.
There are some software to monitor this attack and auto response it (IPS) ?

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-11-24T18:24:41.717+00:00

Yes. For the detection, a SIEM can do the trick. Just colelcting events from the DCs would be a good start. And eventully extending the collection to all servers.
An EDR on the servers might also help detect and automate action when such attacks are detected. For reference, Microsoft has a SIEM called Microsoft Sentinel. And and XDR/EDR suite in Defender 365. But there are also open-source projects out there.

Most of the time, those are issues with system which have a direct access from the Internet (RDP password spray are very, very common). If your servers are VMs in a cloud service, there are also monitoring solution for these config that can detect and automate actions. If your server are in Azure, or are connected to Azure via Azure ARC, then you can use Defender for Azure.

Another common endpoint for password based attack is ADFS. And there is a ton of guidance for that for protection and detection and investigation.

Share via

Detect real source brute force attacker

3 additional answers

Your answer