Audit Failures

Question

Hi,

I have 2 Remote Desktop gateway servers both are version 2019. I just noticed that I'm getting a lot of Audit Failures with Event ID: 4625 An account failed to login. Below is a sample copy of the log

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/26/2020 7:36:19 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: <servername.domain.com>
Description:
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ADMINISTRATOR
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 45.155.205.121
Source Port: 0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

• Transited services indicate which intermediate services have participated in this logon request.
• Package name indicates which sub-protocol was used among the NTLM protocols.
• Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4625</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8010000000000000</Keywords>
  <TimeCreated SystemTime="2020-10-26T17:36:19.099407900Z" />
  <EventRecordID>31142998</EventRecordID>
  <Correlation ActivityID="{bb2dc3f5-aa7f-0000-08c5-2dbb7faad601}" />
  <Execution ProcessID="684" ThreadID="800" />
  <Channel>Security</Channel>
  <Computer><servername.domain.com></Computer>
  <Security />
  </System>
  <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data>
  <Data Name="SubjectUserName">-</Data>
  <Data Name="SubjectDomainName">-</Data>
  <Data Name="SubjectLogonId">0x0</Data>
  <Data Name="TargetUserSid">S-1-0-0</Data>
  <Data Name="TargetUserName">ADMINISTRATOR</Data>
  <Data Name="TargetDomainName">
  </Data>
  <Data Name="Status">0xc000006d</Data>
  <Data Name="FailureReason">%%2313</Data>
  <Data Name="SubStatus">0xc000006a</Data>
  <Data Name="LogonType">3</Data>
  <Data Name="LogonProcessName">NtLmSsp </Data>
  <Data Name="AuthenticationPackageName">NTLM</Data>
  <Data Name="WorkstationName">-</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x0</Data>
  <Data Name="ProcessName">-</Data>
  <Data Name="IpAddress">45.155.205.121</Data>
  <Data Name="IpPort">0</Data>
  </EventData>
  </Event>

Am I being Bruteforce? Both Gateways do have a public dns.

Thanks
Jeff

Answer 1

Hi,

1. Please confirm the clients' OS where the problematic account started the remote session.
2. verify if the affected user is part of “Protected users” group, open command prompt as the affected user and type the command:
   Whoami /all

After then, use “Active directory users and computers” to remove the affected user from protected users group.

Reference link:
Protected Users Security Group
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518%28v=ws.11%29

3.Kindly check if any errors have been captured in the IIS logs:
check under IIS Manager, select the computer on the left pane, and in the middle pane, go under "Logging" in the IIS area.

---

Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

Answer 2

Problem is even on a non office hours we're still getting audit failures. I'm suspecting kinda bruteforce.

Answer 3

Hi JeffersonCo-5101,

How frequently are you getting event id 4625

Is it always reported for administrator account, also do you see logon type as 3 - network for all these events

You can take a Wireshark capture, and then filter for ip reported in the event 4625 . You can get physical address of the source machine who attempted this. By checking 2-3 instances you can clearly find whether its the same source every time.

Once you know physical address of this attacker's machine, you can set a firewall rule to block all incoming connections for this mac address