Brute force attack with no IP to trace

active-directory windows-server-2012-r2 brute-force-attacks
5,293

This information will be obfuscated so long as you have RDP set to negotiate security with TLS/SSL & NLA. If you reduce your security level down to just RDP encryption, you will fetch more info in those log entries. Obviously not an ideal approach, as that weakens your security posture.

Try looking in this log: Application and Service Logs > Microsoft > Windows> > RemoteDesktopServices-RdpCoreTS > Operational

See if there are any 140 events (generated when a fake name is used), or 131 events (failed but legit name). These should have a source IP in the description.

PureRDS had a good write-up about this earlier in the year: http://purerds.org/remote-desktop-security/auditing-remote-desktop-services-logon-failures-1/

Share:
5,293

Related videos on Youtube

tkam
Author by

tkam

Updated on September 18, 2022

Comments

  • tkam
    tkam over 1 year

    I am getting constant event 4625 messages saying that accounts are failing to log in with non-existent usernames. Names such as: SALES, USER, TEST, HELPDESK, SUPPORT, PROGRAMMER are not users of ours, but we are getting 20 or so messages every minute saying accounts such as these are trying to log in. I can only conclude that this must be a brute force attack. I have already made sure that RDP is NOT publicly accessible. I can tell that these are coming from outside of the domain because NTLM is stopping it, however I cannot blacklist IPs because Network information is blank in the event messages. What should I do in this situation?

    An account failed to log on.

    Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed: Security ID: NULL SID Account Name: POSTERMINAL1 Account Domain:

    Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064

    Process Information: Caller Process ID: 0x0 Caller Process Name: -

    Network Information: Workstation Name:
    Source Network Address: - Source Port: -

    • Admin
      Admin almost 7 years
      I have also seen 4625's with no associated network address. Not sure why this would be missing, but you can try enabling NTLM audit logging to collect additional details on the activity: support.symantec.com/en_US/article.HOWTO79508.html
  • tkam
    tkam almost 7 years
    Thank you I found this information to be very useful! I didn't know you could find the ip in events 140 and 131.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting disk quotas with Active Directory
How to convert regular windows 10 account to an active directory account?
How do I configure DNSMasq on DD-WRT when using Active Directory?
How can I list all members from AD group showing enable and disabled users?
How to join a system to a domain controller in Microsoft Azure
What's the upgrade path for ADFS 2.1 to 3.0 (Server 2012 to 2012 R2)
Will a Windows server 2003 operate on a domain functional level 2012 domain?
The user name or password is incorrect error while joining Windows domain
Adding a second tree domain to AD forest (2012 R2)
Windows Server 2012 R2 Standard located in our DMZ has problems with connection to RoDC