Security event log, event ID 4625, logon type: 3
I repeatedly get new alerts from this one terminal server that continually tries to logon to itself, and I can't figure out why. I detected this with the help of a SIEM system, and there could be 10-20 new alarms per day with each alarm having at least 20+ login attempts.
I've removed old Task Scheduler jobs which could've tried to authenticate with old user credentials, that have since been removed from the domain.
Any help is much appreciated.
AV - Alert - "1586870579" --> RID: "18130"; RL: "5"; RG: "windows,win_authentication_failed,"; RC: "Logon Failure - Unknown user or bad
password."; USER: "(no user)"; SRCIP: "::1"; HOSTNAME: "(SERVERNAME1) 172.16.10.11->WinEvtLog"; LOCATION: "(SERVERNAME1) 172.16.10.11->WinEvtLog";
EVENT: "[INIT]2020 Apr 14 15:22:58 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain:
SERVERNAME1.ad.company.com: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0
**Logon Type: 3** Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: SERVERNAME1 Account Domain: AD Failure Information:
Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: -
Network Information: Workstation Name: SERVERNAME1 Source Network Address: ::1 Source Port: 54306 Detailed Authentication Information: Logon
Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated
when a logon request fails. It is generated on the computer where access was attempted.[END]";
User contributions licensed under CC BY-SA 3.0