Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023) Reset their passwords and enable MFA or, if you have configured the relevant high-risk user policies in Azure Active Directory Identity Protection, you can use the Confirm user compromised action in the Defender for Cloud Apps portal. Look for users who were logged on around the same time as the activity occurred, as these users may also be compromised.Find the tool that performed the attack and remove it.Suggested remediation and steps for prevention
To enable NTLM auditing, turn on Windows Event 8004 (NTLM authentication event that includes information about the source computer, user account, and the server the source machine tried to access). If you frequently have devices that display as Workstation or MSTSC, make sure to enable NTLM auditing on the relevant domain controllers to get the true source computer name.
Using Windows Event 4776 to capture this information, the source field for this information is occasionally overwritten by the device or software to display only Workstation or MSTSC. Defender for Identity captures the source computer data based on Windows Event 4776, which contains the computer defined source computer name.
If the authentication was made using NTLM, in some scenarios, there may not be enough information available about the server the source computer tried to access. If the owner of the source computer used the honeytoken account to authenticate, using the exact method described in the alert, Close the security alert, as a B-TP activity. Any activity from them might indicate malicious behavior.įor more information on honeytoken accounts, see Configure detection exclusions and honeytoken accounts.Ĭheck if the owner of the source computer used the Honeytoken account to authenticate, using the method described in the suspicious activity page (for example, Kerberos, LDAP, NTLM). Honeytoken accounts should be left unused while having an attractive name to lure attackers (for example, Honeytoken accounts are decoy accounts set up to identify and track malicious activity that involves these accounts.
In this tutorial, you'll learn how to understand, classify, remediate and prevent the following types of attacks: The following security alerts help you identify and remediate Compromised credential phase suspicious activities detected by Defender for Identity in your network. For information about True positive (TP), Benign true positive (B-TP), and False positive (FP), see security alert classifications. To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see Understanding security alerts. Microsoft Defender for Identity identifies these advanced threats at the source throughout the entire attack kill chain and classifies them into the following phases: Typically, cyber-attacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets – such as sensitive accounts, domain administrators, and highly sensitive data.