Attempted network breaches

1etherer

Fully Optimized
Messages
1,878
Location
Earth
Hi All,

We are receiving calls from employees that there accounts are being locked out. It has happened to two IT Admin aswell and we cannot find anything as to why this is happening.. it seems happen to one account at a time so we suspect someone is trying to access the accounts.

Without a successful login we cannot see where the account is trying to be accessed.

So my question is, is there any software we can deploy or GPO script we can use to track attempted logins?

Or any other good ideas are welcome..

P.s we had a senior member of the company the other day have a old work email spoofed and someone was sending out a email with malware on it to 57 email addresses which none of are linked to are company.
 
Last edited:

Lexluethar

Fully Optimized
Messages
4,708
Location
127.0.0.1
Sounds like you have someone already inside the company. While they could try to access things like webmail or citrix (or whatever you use for remote) if they have user ID's they more than likely have some internal information.

Enable login audits on your DC's which will give you insight into the failed login attempts:
eventviewer - How to enable Audit Failure logs in Active Directory? - Server Fault
https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

It's really important to find where it's coming from to ensure it's external. I don't know the size of the company, but i would also suggest pushing a password reset to all users.
 

1etherer

Fully Optimized
Messages
1,878
Location
Earth
Sounds like you have someone already inside the company. While they could try to access things like webmail or citrix (or whatever you use for remote) if they have user ID's they more than likely have some internal information.

Enable login audits on your DC's which will give you insight into the failed login attempts:
eventviewer - How to enable Audit Failure logs in Active Directory? - Server Fault
https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

It's really important to find where it's coming from to ensure it's external. I don't know the size of the company, but i would also suggest pushing a password reset to all users.

We have offices in US, UK and Singapore.. around 250 employees and hundreds more consultants who have limited access.

Thanks for the links I will look into this tomorrow when I'm back in the office.

Cheers:cool:
 

Lexluethar

Fully Optimized
Messages
4,708
Location
127.0.0.1
All of those users still authenticate through your DC's. It may be a bit more difficult to find out who's account was compromised but enabling auditing on your DC's is a good start.
 

1etherer

Fully Optimized
Messages
1,878
Location
Earth
All of those users still authenticate through your DC's. It may be a bit more difficult to find out who's account was compromised but enabling auditing on your DC's is a good start.

Update - Ive applied the GPO and gpupdate /force on the default DC but when we test it on a machine it is not picking up login failures in the DC event viewer just successful ones which was enabled already, not sure if something else needs to be config?

In the meantime, the lock-outs have seems to stop but want this up and running for when/if they start again!
 
Top Bottom