Forum Discussion

Jeroen_van_der_Broek's avatar
Jeroen_van_der_Broek
Copper Contributor
Feb 27, 2023

Suspected brute-force attack and None of the passwords attempted where previously used passwords

Suspected brute-force attack (Kerberos, NTLM) and None of the passwords attempted where previously used passwords.   This makes me wonder. It knows it is a password that was not used before. But di...
Jeroen_van_der_Broek's avatar
Jeroen_van_der_Broek
Copper Contributor
Feb 28, 2023
I would indeed asume this based on the message/event. But then again it does not know if you try different passwords only that it is different than old known passwords. I am sure this acount is not under bruteforce attack.
Matthias_VDB's avatar
Matthias_VDB
Iron Contributor
Mar 01, 2023

Sure is worth investigating :lol:
So, I guess this one you already figured out it was a script, or similar, using the wrong password... which for an AI system looks like a brute force attack...
So, this one is benign positive then :smile:

 

Guess "Suspected" is key in this case....
Microsoft Defender for Identity security alert guide - Microsoft Defender for Identity | Microsoft Learn
Microsoft Defender for Identity compromised credentials phase security alerts - Microsoft Defender for Identity | Microsoft Learn

So, it is based on authentication attempts... but i guess it doesn't compare the hashes. But then again, how would it detect a password spray, or know the password wasn't used.

 

Probably the underlaying detection algorithms will not be shared for security reasons. So lets just go with what we know:
Get an alert, investigate :lol:

Resources