AD brute force attack

Özgür Gül 1 Reputation point
2022-06-28T14:17:39.22+00:00

Hi guys,

Today when i was inspecting security event logs at active directory server i realised we are recieving constant password brute force attacks from different user accounts.

Usernames were seeming to be coming from a rainbow table as; Jessie, Jaxon, Clare...so on

Source workstation is also seeming to be different on each try as; Windows7, Remmina, Windows2019, Windows10, FreeRDP... (these hosts does not seem to appear on network when i do nslookup control)

The question is i have no identifier to reach an ip address to reach the attacker device.

I am adding an example log output and info i got, and i need guidance to reach further information on which device is sending this requests.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Matthew
Source Workstation: FreeRDP
Error Code: 0xC0000064

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,652 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,305 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Mohammed Altamash Khan 1,316 Reputation points
    2022-06-28T15:58:22.16+00:00

    step 1 is to block this IP on you network device like firewall , or something .
    Unblock it only when you verify who was the owner of device and IP source is trusted.