locked
Tracking down cause of "Suspicious authentication failures" alerts RRS feed

  • Question

  • Our site is currently testing the ATA product and we have been receiving random alerts on different servers

    Suspicious authentication failures

    Reason:

    Excessive number of authentication failures from %server name% for %domain admin% who wasn't observed logging int %server name%

    failures are from a production server and failing to log in against the domain admin account.

    I have checked the servers event logs application/ system / security and i do not see anything around the times that it is reported.

    I have looked at services on the server and nothing is configured to run as the account

    I have checked the task scheduler and there is nothing set to run as this account. 

    i used auditpol.exe to enable these additional subcategories (both success and failures) but still am not seeing anything in the security event log.

    Kerberos Authentication Service
    Kerberos Service Ticket Operations
    Account Lockout
    Logoff
    Other logon/Logoff Events
    Special Logon

    What can i do to track this down and prove that its a false positive or correct the issue, from the message on the alert it seams that the server in question is attempting to authenticate

    Wednesday, July 11, 2018 1:51 PM

All replies

  • Hello,

    You can follow the procedures introduced in the Suspicious activity guide below.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide#suspicious-authentication-failures

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 12, 2018 8:14 AM
  • This doesn't really help me. 

    We have already Identified the account that is being used, Domain admin and the servers where it is coming from.

    I have looked through the event log on the servers and there is nothing logged regarding the attempts to log in using the credentials, even with the additional logging I enabled via auditpol. 

    I am looking to find out exactly what is trying to authenticate using the domain admin credentials and what it is trying to access.  Just changing the password and making it complex does not solve a problem if there is a compromised device on the network.  I need to identify if this is a legitimate threat or if its a false positive and what is causing it/how to identify it in the future.

    Monday, July 16, 2018 3:30 PM
  • Have you searched your win sec logs for pre-authentication failures? The reason is also in the ATA excel file download. I believe event 4771. Typically cached creds, TS or RDP sessions left open after a pwd change, mapped printers and drives trying to auth in the background. Hope this helps.

    • Edited by clarked Thursday, July 19, 2018 7:28 PM
    Wednesday, July 18, 2018 4:59 PM