Multiple UserLogonFailures - 4776 Expand / Collapse
Author
Message
Posted 7/8/2016 5:29:58 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/22/2014 1:18:09 PM
Posts: 2, Visits: 0
I am getting multiple logon attempts from a device "Windows7", or "FreeRDP"(not a domain pc or device) that is trying various usernames that do not exists. I think this is some sort of malicious software, but I am unable to pin point it in the logs. Is there a way to enable debugging on the domain controller(s) where I can get a valid source IP address? Please see the below error logs from event monitor (fed from servers):


Event Name: UserLogonFailure
EventInfo: Account "Ghost4536User" used for logon failed from "Windows7" InsertionIP:
HYPERION.AAG.local Manager: swi-lem DetectionIP: HYPERION.AAG.local InsertionTime:
11:43:36 Fri Jul 08 2016 DetectionTime: 11:43:35 Fri Jul 08 2016 Severity: 4 ToolAlias: Vista
Security InferenceRule: ProviderSID: Microsoft-Windows-Security-Auditing 4776 ExtraneousInfo:
Error Code: 0xc0000064 Error: user name does not exist SourceAccount: SourceDomain:
SourceLogonID: DestinationAccount: Ghost4536User DestinationDomain: DestinationLogonID:
DestinationAccountType: SourceMachine: Windows7 DestinationMachine: HYPERION.AAG.local
PrivilegesExercised: LogonProcess: AuthPackage:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 LogonType: FailureReason: user name does
not exist FailureCount: IsThreat: false
Post #5231
Posted 7/8/2016 6:50:23 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/22/2014 1:18:09 PM
Posts: 2, Visits: 0
Has anyone encountered this issue before?
Post #5232
Posted 7/14/2016 10:38:00 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/14/2016 10:32:30 AM
Posts: 1, Visits: 0
Currently encountering this exact issue, and looks like it started a few days ago. Same random computer and usernames ("Windows7", "АДМІНІСТРАТОР", "SERVER-PC", etc) that are attempting to authenticate against our DCs.

Just starting to dig into where it's coming from.
Post #5234
Posted 7/24/2016 3:12:40 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
Check to ensure that RDP is not allowed externally. If RDP is open to the Internet you will receive brute force attempts from bots.
Post #6238
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:14am