This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 40%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZR%3C/text%3E%3C/svg%3E)
Hi guys,
Today when i was inspecting security event logs at active directory server i realised we are recieving constant password brute force attacks from different user accounts.
Usernames were seeming to be coming from a rainbow table as; Jessie, Jaxon, Clare...so on
Source workstation is also seeming to be different on each try as; Windows7, Remmina, Windows2019, Windows10, FreeRDP... (these hosts does not seem to appear on network when i do nslookup control)
The question is i have no identifier to reach an ip address to reach the attacker device.
I am adding an example log output and info i got, and i need guidance to reach further information on which device is sending this requests.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Matthew
Source Workstation: FreeRDP
Error Code: 0xC0000064
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Is your server connected to internet?
They are from outside your network, is that correct?
No clues if they are insider or outside originated. Thats what i want to find out.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 24%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
step 1 is to block this IP on you network device like firewall , or something .
Unblock it only when you verify who was the owner of device and IP source is trusted.
Block this ip, which ip, i only have user and hostname information at logs, user information is random generated and also hostname is random generated.
I can packet capture on Active directory server and try to match packets with event logs checking time of actions i know, but is there a way to find ip from elsewhere?
Finally removing all 3th party apps from client device stopped the AD traffic. Didnt have time to deep analyse the issue so no suspects were found.