https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/515007#M1747 <P>Ok, so the user was not behind NAT, but school Campus with /20 subnet.<BR />Can anyone explain me, why cortex says the SRC_HOSTNAME = MSTSC.EXE? Does it makes sence?<BR /><BR />Probably the FW is not switch to the public, so we will have to investigate the GPO.<BR /><BR /></P> Thu, 15 Sep 2022 19:35:31 GMT LukasB 2022-09-15T19:35:31Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/515002#M1746 <P>Hello,</P> <P>today we have interesting alert</P> <P>&nbsp;</P> <P><SPAN>At least 33 distinct non-existing accounts failed to remotely log in to XX-Laptop1. Users list: name.user, user name, user.name, username</SPAN></P> <P>&nbsp;</P> <P><SPAN>User has no idea - all day at school, behind NAT. What I cannot really understand how terminal service can be used when is user behind NAT and there is no port forwarding and any kind of redirect.<BR /><BR />Any idea what to check next?</SPAN></P> <P>&nbsp;</P> <P><SPAN>src. IP adresses looks ok via Virus Total</SPAN></P> <P><SPAN>95.143.188.128<BR />95.143.188.126<BR />95.143.188.122<BR />95.143.188.129<BR /><BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LukasB_0-1663265938108.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43884i1924F7465DC22A12/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="LukasB_0-1663265938108.png" alt="LukasB_0-1663265938108.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LukasB_1-1663266012645.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43885iC825A28960F22EBE/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="LukasB_1-1663266012645.png" alt="LukasB_1-1663266012645.png" /></span></P> <P>&nbsp;</P> <P><SPAN><BR /><BR /><BR /></SPAN></P> Thu, 15 Sep 2022 18:21:41 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/515002#M1746 LukasB 2022-09-15T18:21:41Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/515007#M1747 <P>Ok, so the user was not behind NAT, but school Campus with /20 subnet.<BR />Can anyone explain me, why cortex says the SRC_HOSTNAME = MSTSC.EXE? Does it makes sence?<BR /><BR />Probably the FW is not switch to the public, so we will have to investigate the GPO.<BR /><BR /></P> Thu, 15 Sep 2022 19:35:31 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/515007#M1747 LukasB 2022-09-15T19:35:31Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/520020#M1789 <P>We found out that GPO for local firewall was disabled, so once the laptop left domain, it did not switch to the public profile...</P> Wed, 02 Nov 2022 17:22:35 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/520020#M1789 LukasB 2022-11-02T17:22:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/558392#M2003 <P>Thanks for posting this! This reaffirmed my analysis of a very similar issue!&nbsp;</P> Mon, 18 Sep 2023 15:33:36 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cortex-xdr-remote-account-enumeration/m-p/558392#M2003 Rashele-Shoun 2023-09-18T15:33:36Z