On my Windows Server 2012 R2 machine, Malware Bytes is picking up incoming attempts from malware, riskware, etc. It happens a few times per day and they are always inbound. The IP addresses differ each time, but they are consistently trying port 389 and lsass.exe. They have also tried port 53 and dns.exe. I have both ports blocked in the firewall on the server and have my router firewall enabled.
This started happening after a thwarted randomware attack with a virus spread from a laptop connecting to the server via VPN. Everything has been thoroughly scrubbed. The drive that had the encrypted files was formatted and the files were restored from a clean cloud backup.
However, I can't for the life of me figure out why I keep seeing these incoming attempts. Is it because this server is now "on the radar" of the attackers, so they just keeping trying automatically?