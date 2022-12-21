During a different engagement, X-Force was notified by a client that their security team had detected a brute force attack against their internal Microsoft Active Directory. The client had not detected any successful authentications associated with the attack but was beginning to receive complaints of account lockout. They were unable to determine the source of the attack.

In normal circumstances, the client’s security team would leverage the data available within the default authentication events stored within the Windows Event Log in this case, Event ID 4625 to track the source of the authentication attempt by either the Source Network Address or Workstation Name attribute. However, in this case, the security team was unable to locate any event logs associated with the ID 4625.

X-Force investigated the logs from the domain controller and identified a common logging pattern indicating an external endpoint was attempting to authenticate using the NT LAN Manager (NTLM) protocol over Kerberos. In this scenario, the domain controller will log consecutive events associated with event ID 4776 followed by an event ID 4740 indicating that the user has been locked out.

Event ID 4776 is logged when a domain controller tries to validate the account credentials using NTLM over Kerberos. 4776s are also logged for local SAM authentication for Windows workstations and servers as NTLM is the default authentication mechanism.

According to the client’s IT and security team, the source workstation referenced in 4776 events was not a member of their domain and they had no endpoints registered with that name in any of their network or asset management tools.

To track down the source of the authentication attempts, X-Force instructed the client to enable Netlogon debugging logs on their domain controllers. Netlogon debugging logs are stored in C:\Windows\debug

etlogon.log and will capture the name of the target machine involved in the authentication attempt. X-Force requested the client provide the logs from the target machine recovered from the Netlogon debug logs, however, the client’s security and IT teams did not have any records of the target system being a valid endpoint within their domain.