Event log failure 4625 (brute force attack)

Spellbound vfx 6 Reputation points
2020-12-15T06:10:46.05+00:00

I am receiving constant 4625 event log failures in my machine every 10 minutes. The machine lies under the firewall with RDP enabled in it. When I try to check the account name and domain, it is showing as I mentioned in the example i.e If the audit failure is from my domain user account, it should show the username and domain information. But in my case, it is completely different with the different username with numerous characters in it. Kindly suggest a probable reason for this issue. I suspect it may be a brute force attack from outside.

Event 4625 occurred at 14-12-2020 13:26:01.

Date Time:14-12-2020 13:26:01
Event Source: Microsoft-Windows-Security-Auditing
Event Category: 12544
Event Type: Information
Event ID: 4625
Event Log Name: HardwareEvents
User: N/A
Computer: *******Hidden for security reasons*******
Description:
An account failed to log on.

Subject:
Security ID: S-1-5-18
Account Name: *******Hidden for security reasons*******
Account Domain: *******Hidden for security reasons*******
Logon ID: 0x3e7

Logon Type: Advapi

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAYDAxAQNAgDAxAgQAcDA1AQLAYDAGBQMAIEAtAANAcDAEBwQA0CACBwNAgDADBQLAUEAyAQOAEDABBAOAcDA2AwNAMEA4AQMA0HA
Account Domain: 0xc000006d

Failure Information:
Failure Reason: 0xc0000064
Status: %%2313
Sub Status: 4

Process Information:
Caller Process ID: C:\Windows\System32\svchost.exe
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: NT AUTHORITY\SYSTEM

Detailed Authentication Information:
Logon Process: Negotiate
Authentication Package: DOWNLOADER
Transited Services: -
Package Name (NTLM only): 0
Key Length: 0x894

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,859 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sunny Qi 11,051 Reputation points Microsoft Vendor
    2020-12-15T08:30:59.367+00:00

    Hi @Spellbound vfx ,

    Thanks for posting in Q&A platform.

    Based on provided info, as a workaround I would suggest to perform NTLM policy control to completely prevent LM response. Please refer to the detailed steps as below to see if the issue can be resolved:

    Firstly, please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: LAN Manager authentication level-->set to Send NTLMv2 response only

    48279-image-1.jpg

    And then please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: Restrict NTLM: Incoming NTLM traffic-->set to Deny all accounts

    48312-image-2.jpg

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.