Attempted network breaches

1

1etherer

Fully Optimized
Messages
1,878
Location
Earth
Hi All,

We are receiving calls from employees that there accounts are being locked out. It has happened to two IT Admin aswell and we cannot find anything as to why this is happening.. it seems happen to one account at a time so we suspect someone is trying to access the accounts.

Without a successful login we cannot see where the account is trying to be accessed.

So my question is, is there any software we can deploy or GPO script we can use to track attempted logins?

Or any other good ideas are welcome..

P.s we had a senior member of the company the other day have a old work email spoofed and someone was sending out a email with malware on it to 57 email addresses which none of are linked to are company.
 
Last edited:
Sounds like you have someone already inside the company. While they could try to access things like webmail or citrix (or whatever you use for remote) if they have user ID's they more than likely have some internal information.

Enable login audits on your DC's which will give you insight into the failed login attempts:
eventviewer - How to enable Audit Failure logs in Active Directory? - Server Fault
https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

It's really important to find where it's coming from to ensure it's external. I don't know the size of the company, but i would also suggest pushing a password reset to all users.
 
Lexluethar said:
Sounds like you have someone already inside the company. While they could try to access things like webmail or citrix (or whatever you use for remote) if they have user ID's they more than likely have some internal information.

Enable login audits on your DC's which will give you insight into the failed login attempts:
eventviewer - How to enable Audit Failure logs in Active Directory? - Server Fault
https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

It's really important to find where it's coming from to ensure it's external. I don't know the size of the company, but i would also suggest pushing a password reset to all users.
Click to expand...

We have offices in US, UK and Singapore.. around 250 employees and hundreds more consultants who have limited access.

Thanks for the links I will look into this tomorrow when I'm back in the office.

Cheers:cool:
 
All of those users still authenticate through your DC's. It may be a bit more difficult to find out who's account was compromised but enabling auditing on your DC's is a good start.
 
Lexluethar said:
All of those users still authenticate through your DC's. It may be a bit more difficult to find out who's account was compromised but enabling auditing on your DC's is a good start.
Click to expand...

Update - Ive applied the GPO and gpupdate /force on the default DC but when we test it on a machine it is not picking up login failures in the DC event viewer just successful ones which was enabled already, not sure if something else needs to be config?

In the meantime, the lock-outs have seems to stop but want this up and running for when/if they start again!
 
You must log in or register to reply here.

Similar threads

P
I. T. Industry Boom
Replies
0
Views
732
phantom555
P
M
Email Mailbox Sharing Alternative
Replies
1
Views
1K
mahmudulhasanrifat
M
S
Home network dropping
Replies
0
Views
748
Spud5437
S
F
A few facebook issues (mac user)
Replies
0
Views
409
FreeSky
F
S
Would it benefit me joining Discord chat groups?
Replies
0
Views
867
Scissorman
S
Back
Top Bottom