I am receiving constant 4625 event log failures in my machine every 10 minutes. The machine lies under the firewall with RDP enabled in it. When I try to check the account name and domain, it is showing as I mentioned in the example i.e If the audit failure is from my domain user account, it should show the username and domain information. But in my case, it is completely different with the different username with numerous characters in it. Kindly suggest a probable reason for this issue. I suspect it may be a brute force attack from outside.
Event 4625 occurred at 14-12-2020 13:26:01.
Date Time:14-12-2020 13:26:01
Event Source: Microsoft-Windows-Security-Auditing
Event Category: 12544
Event Type: Information
Event ID: 4625
Event Log Name: HardwareEvents
User: N/A
Computer: *******Hidden for security reasons*******
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: *******Hidden for security reasons*******
Account Domain: *******Hidden for security reasons*******
Logon ID: 0x3e7
Logon Type: Advapi
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAYDAxAQNAgDAxAgQAcDA1AQLAYDAGBQMAIEAtAANAcDAEBwQA0CACBwNAgDADBQLAUEAyAQOAEDABBAOAcDA2AwNAMEA4AQMA0HA
Account Domain: 0xc000006d
Failure Information:
Failure Reason: 0xc0000064
Status: %%2313
Sub Status: 4
Process Information:
Caller Process ID: C:\Windows\System32\svchost.exe
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: NT AUTHORITY\SYSTEM
Detailed Authentication Information:
Logon Process: Negotiate
Authentication Package: DOWNLOADER
Transited Services: -
Package Name (NTLM only): 0
Key Length: 0x894