Cortex XDR Remote account enumeration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Remote account enumeration

L2 Linker

Hello,

today we have interesting alert

 

At least 33 distinct non-existing accounts failed to remotely log in to XX-Laptop1. Users list: name.user, user name, user.name, username

 

User has no idea - all day at school, behind NAT. What I cannot really understand how terminal service can be used when is user behind NAT and there is no port forwarding and any kind of redirect.

Any idea what to check next?

 

src. IP adresses looks ok via Virus Total

95.143.188.128
95.143.188.126
95.143.188.122
95.143.188.129

LukasB_0-1663265938108.pngLukasB_1-1663266012645.png

 




3 REPLIES 3

L2 Linker

Ok, so the user was not behind NAT, but school Campus with /20 subnet.
Can anyone explain me, why cortex says the SRC_HOSTNAME = MSTSC.EXE? Does it makes sence?

Probably the FW is not switch to the public, so we will have to investigate the GPO.

L2 Linker

We found out that GPO for local firewall was disabled, so once the laptop left domain, it did not switch to the public profile...

Thanks for posting this! This reaffirmed my analysis of a very similar issue! 

Rashele Shoun
  • 4146 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!