This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 80%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Hi,
I need some help clarifying some Logs I'm looking at.
I got an incident registered on Microsoft 365 Defender, which the source is Endpoint and the incident description is: Successful logon from known brute-force source on one endpoint.
So I got the investigation package from the machine and found out looking at the Logs that there is a Brute Force attempt, which was successful on one user, from an external IP, which is not even the user which is using the machine usually.
I also got the security log from the machine itself and can see the event ID 4624 on the domain user, with logon type 3 (network logon), from the external IP.
So my question is, being the logon from an external IP, what are the possible circumstances that an external IP is doing a brute force on a specific machine on my network?
Does this mean that this machine is compromised and being used for lateral movement?
Or any other plausible explanation for a network logon being done from an external IP?
Thanks
Hello DavidMarques,
Indeed seems a very unusual event. I would like to clarify that a Network Logon is very different from a Brute Force attach since the context is not interactive and the credentials are inherited from the session, in opposition with an Interactive bruteforce where there is an specific trial/error.
About the Logon type 3: Commonly it appears when connecting to shared resources (shared folders, printers etc.) and not to the system itself. The connection with logon type = 3 could be established even from a local computer.
In this case I would suspect from a user trying to access an incorrect network resource (likely a shared folder or printer) where doesn't have permissions, or with incorrect credentials logged on its system.
--If the reply is helpful, please Upvote and Accept as answer--