I have a Windows 2008R2 server that is reporting a constant stream of failed logon attempts. Someone is brute-forcing this server and I cannot tell from where. The EvenIDs triggered are 4625 Below is an example of the Audit Entry
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SEMINAR
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
The NTLM Operational Logs:
NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Calling process PID: 756
Calling process name: C:\Windows\System32\svchost.exe
Calling process LUID: 0x3e4
Calling process user identity: EW2$
Calling process domain identity: ABC
Mechanism OID: (NULL)
The user is not a real user Network information is completely missing. I have logged all NTLM messages in event log and didn't get any additional information. I am not savvy enough with network monitors to find this NTLM attempt.
I tried closing the public and private firewall profiles, the attempts still happen.
What else can I do to trace the origin of these sign in attempts?
User contributions licensed under CC BY-SA 3.0