Excessive failed logon attempts, cannot trace b/c of missing info

1

I have a Windows 2008R2 server that is reporting a constant stream of failed logon attempts. Someone is brute-forcing this server and I cannot tell from where. The EvenIDs triggered are 4625 Below is an example of the Audit Entry

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       SEMINAR
    Account Domain:     

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc0000064

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

The NTLM Operational Logs:

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 756
Calling process name: C:\Windows\System32\svchost.exe
Calling process LUID: 0x3e4
Calling process user identity: EW2$
Calling process domain identity: ABC
Mechanism OID: (NULL)

The user is not a real user Network information is completely missing. I have logged all NTLM messages in event log and didn't get any additional information. I am not savvy enough with network monitors to find this NTLM attempt.

I tried closing the public and private firewall profiles, the attempts still happen.

What else can I do to trace the origin of these sign in attempts?

windows-server-2008
asked on Server Fault May 14, 2018 by nathank1989

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0