Seeing sporadic attempts at different intervals on users passwords but Event 4740 - Caller Computer Name is blank or labeled with MSTSC. Need to find out which pc is being targeted or where it's coming from.
What I know is;
MSTSC is not a PC name in our network, it is however the command for Remote Desktop but not a pc name.
There are three types of usernames the attack is targeting. Some of the attempts are on defaulted AD users; administrator and backupuser
Other attempts are on non defaulted AD users like ITtech, itsupport, etc.
Only one non IT or defaulted AD user name is appearing in the lockouts which I'm tracking down to see where this person was and what device they are using.
My environment is I have a few PC's exposed to the internet for RDP sessions. I've changed all the defaulted RDP port to a custom port along with port forwarding to match the connection i.e. 126.96.36.199:5001 for pc1, :5002 for pc2 etc. I know its a very bad setup but we are moving away from it very soon. I believe these attacks are coming from these edge devices but I can't find a way to correlate the info I have to the device being used for the attacks. If I can find the device I can try to apply another security around it to buy some time, and frankly I would like to know why the caller computer name is blank or saying mstsc for my own information. At the minimal I Just need to find which entry point the attack is coming from.