Event ID 4625 observed on Domain Controller... Expand / Collapse
Author
Message
Posted 2/16/2019 3:57:27 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/31/2019 6:33:15 AM
Posts: 4, Visits: 0
Hi Team,

As per the book in this web site , we shouldn't be getting Event ID 4625 from a Domain Controller unless somebody is accessing the domain controller itself or if logging into any application that is integrated with AD. But in my organization , I am observing logs of Event ID 4625 with source being a desktop and domain being local (desktop itself) but this log is observed in Domain controller.Kindly help me understand this log.

<13>Jan 31 14:40:49 DCDIR005 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.5.27 Source=Microsoft-Windows-Security-Auditing Computer=DCDIR005.domain.net OriginatingComputer=DCDIR005 User= Domain= EventID=4625 EventIDCode=4625 EventType=16 EventCategory=12544 RecordNumber=2086833885 TimeGenerated=1548925849 TimeWritten=1548925849 Level=0 Keywords=0 Task=0 Opcode=0 Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: Source Port: 56479 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Ser


Regards,
Anu
Post #8542
Posted 2/24/2019 1:46:35 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
This is a type 3 network logon attempt that is attempting to log onto the DC with the a local Administrator account. This is failing because because there is no local admin account on the DC. This could happen for any number of reasons. It is very often that accounts access the DC using a network logon including GPO updates. The best thing you can do is examine the logs on the source host around the time of the activity.
Post #8545
Posted 2/25/2019 3:26:17 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/31/2019 6:33:15 AM
Posts: 4, Visits: 0
But the account domain is shown as the workstation name which means it is trying a local account locally , then ideally the authentication shouldn't go to Domain Controller isn't it ?
Post #8547
Posted 2/25/2019 3:29:29 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/31/2019 6:33:15 AM
Posts: 4, Visits: 0

<13>Jan 31 14:40:49 DCDIR005 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.5.27 Source=Microsoft-Windows-Security-Auditing Computer=DCDIR005.domain.net OriginatingComputer=DCDIR005 User= Domain= EventID=4625 EventIDCode=4625 EventType=16 EventCategory=12544 RecordNumber=2086833885 TimeGenerated=1548925849 TimeWritten=1548925849 Level=0 Keywords=0 Task=0 Opcode=0 Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: Source Port: 56479 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Ser
Post #8548
Posted 2/25/2019 3:31:43 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/31/2019 6:33:15 AM
Posts: 4, Visits: 0
Sorry, any words between greater than or lesser than symbol is omitted in this site. Please find the log below


<13>Jan 31 14:40:49 DCDIR005 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.5.27 Source=Microsoft-Windows-Security-Auditing Computer=DCDIR005.domain.net OriginatingComputer=DCDIR005 User= Domain= EventID=4625 EventIDCode=4625 EventType=16 EventCategory=12544 RecordNumber=2086833885 TimeGenerated=1548925849 TimeWritten=1548925849 Level=0 Keywords=0 Task=0 Opcode=0 Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: Desktop Name Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Desktop Name Source Network Address: Desktop IP Source Port: 56479 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Ser
Post #8549
Posted 6/24/2019 2:06:21 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
4625 is a login event and not an authentication event. This means that it appears that login attempts with local creds are being attempted against the DC and failing because they are local.
Post #8570
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 11:00pm