1

I have a server that gets keeps getting failed login events (4625). They occur roughly every 20-30 minutes daily. Also appears to be on a schedule.

I've tried deleting stored credentials. Disabling RDS. I've tried locating a pattern with Procmon and Wireshark, and at one point thought it might be the services for Labtech (ConnectWise Automate) but disabling this temporarily didn't make a difference.

An account failed to log on.

Subject:

Security ID:        SYSTEM

Account Name:       SERVER$

Account Domain:     DOMAIN

Logon ID:       0x3E7

Logon Type: 3

Account For Which Logon Failed:

Security ID:        NULL SID

Account Name:       

Account Domain:

Failure Information:

Failure Reason:     Unknown user name or bad password.

Status:         0xC000006D

Sub Status:     0xC0000064

Process Information:

Caller Process ID:  0x2f4

Caller Process Name:    C:\Windows\System32\lsass.exe

Network Information:

Workstation Name:   SERVER

Source Network Address: -

Source Port:        -

Detailed Authentication Information:

Logon Process:      Schannel

Authentication Package: Kerberos

Transited Services: -

Package Name (NTLM only):   -

Key Length:     0
ToatesMagoats
  • 19
  • 1
  • 4
  • 1
    Look s like something is trying to elevate and it isn't working. If this is a dev box, I'd say someone f'd up their code. – Colyn1337 Jul 25 '18 at 21:47

1 Answers1

0

As you mentionned, very fiew useful informations are provided into this event. What we can see is:

  • Error code: 0xC0000064 > STATUS_NO_SUCH_USER / account not existing
  • Logon type: 3 > network or RDP with NLA
  • Authenticaiton package: Kerberos
  • Source hostname: the server itself

In a nutshell, "something" is runinng locally with a wrong username and is trying to authenticate over the network using the Kerberos protocol.

Therefore the only "clues" that I can suggest you are:

  • Look for potential events ID 4776 (Credential validation)
  • Look on DC logs for strange failed Kerberos events IDs: 4771, 4768
  • In the Resource monitor, look over the different tab and look for a process that may open several queries locally
  • In the PerfMon > Trace session, look if any exsiting session trace from the software can help you
  • What about application logs from ConnectWise ?
Michel de Crevoisier
  • 541
  • 2
  • 8