Tracking down source of Event ID:  4625 on Windows 2008R2 server

Posted on 2014-07-11
Last Modified: 2014-07-21
Hello experts,
I have several entries in my Security logs of a hacking attempt. Initially I thought it may be an owa brute force attack. There is nothing in the IIS logs that correlate to this timestamp, and the Loginprocess is NtLmSsp rather than Advapi. Any advice on how to track the source of this hack attempt would be greatly appreciated.  Attached is the logged event.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/10/2014 3:00:35 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
An account failed to log on.

                Security ID:                         NULL SID
                Account Name:                 -
                Account Domain:                             -
                Logon ID:                             0x0

Logon Type:                                       3

Account For Which Logon Failed:
                Security ID:                         NULL SID
                Account Name:                 !
                Account Domain:                             #$%^

Failure Information:
                Failure Reason:                 Unknown user name or bad password.
                Status:                                  0xc000006d
                Sub Status:                         0xc0000064

Process Information:
                Caller Process ID:             0x0
                Caller Process Name:     -

Network Information:
                Workstation Name:        ASMIRCRACKER1
                Source Network Address:            -
                Source Port:                       -

Detailed Authentication Information:
                Logon Process:                  NtLmSsp
                Authentication Package:               NTLM
                Transited Services:          -
                Package Name (NTLM only):       -
                Key Length:                        0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2014-07-10T22:00:35.823496200Z" />
    <Correlation />
    <Execution ProcessID="552" ThreadID="620" />
    <Security />
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">!</Data>
    <Data Name="TargetDomainName">#$%^</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">ASMIRCRACKER1</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
Question by:sreynolds27
    LVL 14

    Expert Comment

    Looks like that's a known MS issue with a hotfix:

    Author Comment

    Doubtful as we're not using smart cards, different login process too among other things. Thanks for your suggestion though.
    LVL 26

    Expert Comment

    by:Leon Fester
    Here's the important parts of that message:
    Account For Which Logon Failed:
                     Security ID:                         NULL SID
                     Account Name:                 !
                     Account Domain:                             #$%^

     Failure Information:
                     Failure Reason:                 Unknown user name or bad password.
                     Status:                                  0xc000006d
                     Sub Status:                         0xc0000064

     Process Information:
                     Caller Process ID:             0x0
                     Caller Process Name:     -

     Network Information:
                     Workstation Name:        ASMIRCRACKER1
                     Source Network Address:            -
                    Source Port:      

    Is this valid information or did you change it for posting purposes:
                     Account Name:                 !
                     Account Domain:                             #$%^

    If it is valid domain and user accounts that you know must be on your network then most likely there is a password saved on  the PC named: ASMIRCRACKER1

    Logon to the computer and check the event logs and any saved passwords

    Author Comment

    Only the domain suffix has been changed in the post.  The workstation name does not exist on our network,  well at least it shouldn't! Which is exactly why I'm trying to track down the source address.
    LVL 26

    Accepted Solution

    The workstation name does not exist on our network,  well at least it shouldn't!
    Can you discount the fact that somebody may have brought a 'rouge' device onto your network? i.e. a personal laptop or other device that was connected to your network? What about virtual machines? Somebody could have created a local VM that is failing.

    Your question heading is then a little misleading. The way it reads, you're looking for the application that is  trying to authenticate on the Exchange Server.

    While what you're looking for is the actual computer?

    If it's a local network 'attack' then I would suggest running wireshark or netmon on your LAN so that you can capture more data about this workstation. A full network scan might also work, but then you'd need that workstation to be on.

    If you think it a direct OWA connection then you should see something on your firewall logs. Did you check those logs?

    The bottom line that this event is only telling you that an authentication request failed due to bad username/password. It is not an indication that your system is under attack.

    If you cannot find that workstation then there is nothing else from a LAN management perspective that you can do to stop this message from being logged, except to disable auditing....which I would never recommend on a production system

    Author Comment

    Hi Leon
    I'm leaning towards the rogue device on the network, as I haven't found anything in the firewalls logs with a time stamp that correlates to the security logs. Whatever the device was, there has been no more occurences since my initial post.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
    The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now