In case it's a new exploit, Microsoft should upgrade Defender. So, please, help me out since it is not normal to be under attack when having all security in place. Many similar threads on 4776 are opened on technet but no one is having a clear troubleshooting. They helped me identify the lsass instance causing the attack and to remove it using registry settings. I had a similar problem in early 2011 with the Conficker virus and we opened a CritSit to Microsoft. How can I identify/remove the virus/malware behind this brute force attack? lsass is a critical process having many concurent instances - How can I tell which one is the bad one? All other security updates are applied.Ģ. Why is this happening?! I had Microsoft MRT and Windows Defender installed and updated since day 1. On the local firewall I have denied almost any ports but I am not sure which ones should be kept.ġ. This DC doesn't have a public name but only public IP and it is the only DC in the Dev environment. On the inbound, only RDP is permitted from a specific public IP. This was done at network security group level. I have cut all outbound communication but port 53 (I need it to forward DNS requests to public DNS servers). Using Process Explorer I was able to identify the process generating event 4776 as being lsass.exe based on the PID contained in the event description. Something keeps trying to guess passwords for random users such as 'Administrator', 'User2', 'Michael', 'Stacy', etc. It seems one of my domain controllers in Azure is infected.
0 Comments
Leave a Reply. |