windows suspicious login

santos 21 Reputation points
2020-12-17T04:12:59.55+00:00

Can anybody please interpret, what is this log about?

Is this log generated by any service starting or some attacker is trying to access the server using disabled account?

Please suggest.

2020-12-10T09:46:03Z DB01.test.com.np 192.168.1.1 AccelOps-WUA-WinLog-Security [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="xxxxxxxx" [timeZone]="+0545" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4625" [eventType]="Information" [domain]="" [computer]="DB01.test.com.np" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Dec 10 2020 09:46:02" [deviceTime]="Dec 10 2020 09:46:02" [msg]="An account failed to log on." [[Subject]][Security ID]="S-1-5-18" [Account Name]="DB01$" [Account Domain]="test" [Logon ID]="0x3E7" [Logon Type]="5" [[Account For Which Logon Failed]][Security ID]="S-1-0-0" [Account Name]="sp_farm_svc" [Account Domain]="test" [[Failure Information]][Failure Reason]="Account currently disabled." [Status]="0xC000006E" [Sub Status]="0xC0000072" [[Process Information]][Caller Process ID]="0x228" [Caller Process Name]="C:\Windows\System32\services.exe" [[Network Information]][Workstation Name]="DB01" [Source Network Address]="" [Source Port]="" [[Detailed Authentication Information]][Logon Process]="Advapi" [Authentication Package]="Negotiate" [Transited Services]="" [Package Name (NTLM only)]="" [Key Length]="0"

Thanks.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,526 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dave Patrick 426K Reputation points MVP
    2020-12-17T04:21:08.117+00:00

    Something here may help.
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

    --please don't forget to Accept as answer if the reply is helpful--


0 additional answers

Sort by: Most helpful