Protected User Group triggers Brute force logon success

Forum|Forum|1 year ago
February 17, 2025
1 reply
573 views

Our admin accounts are part of the protected users group, which prevents them from authenticating via NTLM. When an admin connects to a host via RDP, the system first attempts NTLM authentication before heading to Kerberos. This behavior triggers an alert in our SIEM.

Do you have any suggestions on how to adjust the rule to prevent this alert from occurring?

Best regards,

Klaus

cdurkin_FTNT

Staff

Would probably need a little more info on this... but from the above ..

I believe you are probably seeing a 4625 event with a "Reason for Error" populated with "The user is a member of a protected group and must authenticate with Kerberos" ?

Or simply a 4625 event with "Login failed - Unknown user name or bad password.", with the Authentication Method set to "NTLM"

If you have LDAP discovery enabled, your CMDB will contain the "Protected Users" group and membership... so you could look to clone the rule to exclude in the "logon failure" sub pattern, users that are in the Protected Users group AND authentication method = NTLM.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded