An account to be disabled appear in the logs?

Duchemin, Dominique 2,006 Reputation points
2022-08-31T20:31:26.433+00:00

Hello,

I saw in the Event Logs on servers:

Security-Auditing

A logon was attempted using explicit credentials.

Subject:
Security ID: AD\svcMonLogic1
Account Name: svcMonLogic1
Account Domain: AD
Logon ID: 0x1BE5D
Logon GUID: {7becb5a6-2f6b-a138-ed75-f1edb586af5c}

Account Whose Credentials Were Used:
Account Name: svcconfigmgrsrv
Account Domain: AD.xxxx
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: VRPSCCMAC01.ad.xxxx
Additional Information: host/VRPSCCMAC01.ad.xxxx

Process Information:
Process ID: 0x6cc
Process Name: C:\Program Files\LogicMonitor\Agent\lib\sbwinproxy.exe

Network Information:
Network Address: 10.6.195.69
Port: 49155

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.


the account svcConfigMgrSrv has been replaced and I would like to disable it.
What is initiating this connection from logic Monitor to Configuration Manager (Repository)?

Thanks,
Dom

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,720 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,351 Reputation points
    2022-09-02T07:39:38.117+00:00

    Hello there,

    Have you disabled this account ?

    This event is also a routine event which periodically occurs during normal operating system activity.

    This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.

    This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.

    You can read more about this event from here https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648

    -------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Duchemin, Dominique 2,006 Reputation points
    2022-09-03T21:08:29.687+00:00

    Hello,

    1. No I could not disable the account as it is still showing in the splunk logs..
    2. How to identify the process? it seems the splunk logs is insufficient ...

    Thanks,
    Dom

    0 comments No comments