User Profile
Jeroen_van_der_Broek
Copper Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Re: Suspected brute-force attack and None of the passwords attempted where previously used passwords
I would indeed asume this based on the message/event. But then again it does not know if you try different passwords only that it is different than old known passwords. I am sure this acount is not under bruteforce attack.50KViews0likes1CommentSuspected brute-force attack and None of the passwords attempted where previously used passwords
Suspected brute-force attack (Kerberos, NTLM) and None of the passwords attempted where previously used passwords. This makes me wonder. It knows it is a password that was not used before. But did the account try to login 100x times with this password or did it do 100x times a try with 100 passwords that where not used before. If it is the 100 tries with just 1 never used password it is possible just someone who made a typo in a script (password) for example. If it was 100 different password it is a much bigger issue. I can not find this the documentation how i should read this. I am also not aware if there is a option to figure this out (kusto query for example). Anyone a idea?50KViews0likes4CommentsThe new local admin lock is great but locks not detected (shown) by Defender.
The new local admin lock (KB5020282—Account lockout available for built-in local administrators (microsoft.com)) is great but locks not detected (shown) by Defender Endpoint. I tried the new function and after it locks it generates an event ID 4740. But i noticed this is not being picked up although the server is onboarded. We do not have all the systems connected to OMS and this is also not going to happen soon. For now we will pick the event up with SCOM. But would be nice that this alert shows up in the endpoint for defender portal.1.1KViews0likes0Comments
Groups
Recent Blog Articles
No content to show