Terminal server tries to login to itself

0

Security event log, event ID 4625, logon type: 3

I repeatedly get new alerts from this one terminal server that continually tries to logon to itself, and I can't figure out why. I detected this with the help of a SIEM system, and there could be 10-20 new alarms per day with each alarm having at least 20+ login attempts.

I've removed old Task Scheduler jobs which could've tried to authenticate with old user credentials, that have since been removed from the domain.

Any help is much appreciated.

AV - Alert - "1586870579" --> RID: "18130"; RL: "5"; RG: "windows,win_authentication_failed,"; RC: "Logon Failure - Unknown user or bad
password."; USER: "(no user)"; SRCIP: "::1"; HOSTNAME: "(SERVERNAME1) 172.16.10.11->WinEvtLog"; LOCATION: "(SERVERNAME1) 172.16.10.11->WinEvtLog";
EVENT: "[INIT]2020 Apr 14 15:22:58 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain:
SERVERNAME1.ad.company.com: An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0 
**Logon Type:   3**  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  SERVERNAME1  Account Domain:  AD  Failure Information: 
Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc0000064  Process Information:  Caller Process ID: 0x0  Caller Process Name: - 
Network Information:  Workstation Name: SERVERNAME1  Source Network Address: ::1  Source Port:  54306  Detailed Authentication Information:  Logon
Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated
when a logon request fails. It is generated on the computer where access was attempted.[END]"; 
windows-event-log
terminal-server
ntlm
asked on Server Fault Apr 15, 2020 by chameleon • edited Apr 16, 2020 by chameleon

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0