Event 4625 without Source Network Address or Port

匿名
2024-04-27T18:14:36+00:00

I found in the Windows domain control log, Someone is brute force cracking the domain account. I found that the workstation name in the 4625 log looks like a MAC address, but there is no IP address information. I want to know how to locate the IP of the workstation?

***moved from Windows / 其他/未知 / 安全、隐私和帐户 / 安全和隐私***

Windows 商业版 | 面向 IT 专业人士的 Windows 客户端 | 网络 | 网络连接和文件共享

锁定的问题。 此问题已从 Microsoft 支持社区迁移。 你可投票决定它是否有用,但不能添加评论或回复,也不能关注问题。 为了保护隐私,对于已迁移的问题,用户个人资料是匿名的。

0 个注释 无注释
{count} 票

1 个答案

排序依据: 非常有帮助
  1. 匿名
    2024-04-30T13:56:57+00:00

    Hello,

    Windows Server 2012 and below do not record IP and Port details for NTLM logins in Event 4625. This issue has been fixed in Windows Server 2016.

    However, you might be able to get more detailed logs by enabling certain debug flags. For example, you can use the nltest command to enable more detailed logging for the NetLogon service. Here’s how you can do it:

    Open the Run dialog (Win + R), type in: nltest /dbflag:2080ffff, and press OK.

    Restart the NetLogon service. The related activity may be logged to %windir%/debug/netlogon.log.

    Once you’re done with the debugging, don’t forget to disable it by opening the Run dialog again, typing in: nltest /dbflag:0, and pressing OK.

    Please note that these steps should be performed by an IT professional or under their guidance, as they involve changes that could affect your system’s operation.

    Best regards

    Zunhui

    0 个注释 无注释