Event ID 4625 with No Computer info

Anonymous
2024-01-30T14:48:18+00:00

We are seeing continuous entries in the Security Event Log on our Domain Controller with Event ID 4625 where there is no Workstation or IP info and appears to be cycling through random names for the Account name. We've done many wireshark captures and we aren't seeing anything to link to the times that the events are happening. Here is an example:

An account failed to log on.

Subject:

Security ID: SYSTEM

Account Name: DOMAIN-CONTROLLER1$

Account Domain: OURDOMAIN

Logon ID: 0x3E7

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

***Account Name:		sai*** 

Account Domain: OURDOMAIN

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xC000006D

Sub Status: 0xC0000064

Process Information:

Caller Process ID: 0x2328

Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:

Workstation Name: -

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: IAS

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

The number of 4625 Event ID entries vary from one or two every few minutes to over 1,000 in a two minute span. The info in each entry is the same with the exception of the account name. Here are a few examples of Account Names used:

sai

berlin

berliner

berlioz

berkley

sandra.silva

eduestag

berkut

berkeyr

patricia.rodrigues

beright

bergy

We've reached out to our Endpoint Protection provider and they report that it doesn't appear that we have any issues with Malware or Viruses, but this to me looks like some sort of Dictionary Attack.

What could be causing this and what could we do to find the source?

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Anonymous
    2024-01-31T08:01:46+00:00

    Hello Stan23Cooper,

    Thank you for posting on the Microsoft Community Forum.

    It is normal for most login types to not have workstation or IP information, such as the type 3 you mentioned in the post, which belongs to the network and does not have a login security ID.

    The error status 0XC00006D reported in the post may be due to incorrect username or authentication information. Sub state 0xC0000064: User logged in with spelling error or incorrect user account.

    The information I have found specifically indicates that error C064 in the error sub state. If multiple such events occur consecutively, this may be a sign of user enumeration attacks.

    It is possible that the company has been maliciously attacked by enumerating all account login passwords through network login.

    If the current operation of your company is not affected, this error does not need to be handled. However, for security reasons, users should strengthen their domain password policy and use more complex passwords.

    Alternatively, set a limit on the number of login attempts on the domain controller to avoid attacks such as brute force password cracking. (However, this approach may result in restricted normal login for users)

    If your company's network traffic is very high, it may be due to customers filling in the wrong password during login.

    Are all the accounts you mentioned in your domain? If so, what is the Lockout threshold in your domain, if the Lockout threshold is more than the value you configured, then there will be domain accounts locked out.

    Here is the article about error 4625, I hope it can help you:

    4625(F) An account failed to log on. - Windows Security | Microsoft Learn

    I hope you the information above is helpful.

    If you have any questions or concerns, please do not hesitate to let us know.

    Best Regards,

    Daisy Zhou

    6 people found this answer helpful.
    0 comments No comments
  2. Anonymous
    2024-05-21T00:41:59+00:00

    Is your DC running as a VM under HyperV by any chance? I have a similar situation here where I have multiple servers (some DC's, some not) that are all running as VM's under HyperV and none of them contain source computer information in their Security event 4625's. However, the Hipervisors that host them do contain the source computer information when they generate 4625 events. This makes identifying any 'bad actors' that are targeting any of my VM servers next to impossible.

    2 people found this answer helpful.
    0 comments No comments
  3. Anonymous
    2024-06-04T13:15:02+00:00

    This is the exact situation I am in, did you find a way around this?

    0 comments No comments
  4. Anonymous
    2024-06-04T13:30:09+00:00

    What we found was that our firewall allows connection via an external web portal and there must be an exploit allowing anyone to blast a brute force attack against that. We found the source IP addresses in the firewall logs and have been playing whack-a-mole blocking those addresses as they pop up. The first dozen or so we blocked reduced the number significantly to the point where we get about 10 tries throughout the day and then block those source addresses too.

    1 person found this answer helpful.
    0 comments No comments
  5. Anonymous
    2024-06-06T07:46:06+00:00

    Hello Stan23Cooper,

    Greetings!

    Thank you for your update and sharing.

    Thanks for your time again.

    Best Regards,
    Daisy Zhou

    0 comments No comments