question

DavidMarques-7154 avatar image
0 Votes"
DavidMarques-7154 asked LimitlessTechnology-2700 answered

Microsoft 365 Defender incident brute force account

Hi,

I need some help clarifying some Logs I'm looking at.

I got an incident registered on Microsoft 365 Defender, which the source is Endpoint and the incident description is: Successful logon from known brute-force source on one endpoint.

So I got the investigation package from the machine and found out looking at the Logs that there is a Brute Force attempt, which was successful on one user, from an external IP, which is not even the user which is using the machine usually.
I also got the security log from the machine itself and can see the event ID 4624 on the domain user, with logon type 3 (network logon), from the external IP.
So my question is, being the logon from an external IP, what are the possible circumstances that an external IP is doing a brute force on a specific machine on my network?
Does this mean that this machine is compromised and being used for lateral movement?
Or any other plausible explanation for a network logon being done from an external IP?

Thanks

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello DavidMarques,

Indeed seems a very unusual event. I would like to clarify that a Network Logon is very different from a Brute Force attach since the context is not interactive and the credentials are inherited from the session, in opposition with an Interactive bruteforce where there is an specific trial/error.

About the Logon type 3: Commonly it appears when connecting to shared resources (shared folders, printers etc.) and not to the system itself. The connection with logon type = 3 could be established even from a local computer.

In this case I would suspect from a user trying to access an incorrect network resource (likely a shared folder or printer) where doesn't have permissions, or with incorrect credentials logged on its system.



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.