Sporadic attempts at different intervals on users passwords but Event 4740 - Caller Computer Name is blank or labeled with MSTSC

Seeing sporadic attempts at different intervals on users passwords but Event 4740 - Caller Computer Name is blank or labeled with MSTSC.  Need to find out which pc is being targeted or where it's coming from.  

What I know is;
MSTSC is not a PC name in our network, it is however the command for Remote Desktop but not a pc name.
There are three types of usernames the attack is targeting.  Some of the attempts are on defaulted AD users; administrator and backupuser
Other attempts are on non defaulted AD users like ITtech, itsupport, etc.
Only one non IT or defaulted AD user name is appearing in the lockouts which I'm tracking down to see where this person was and what device they are using.

My environment is I have a few PC's exposed to the internet for RDP sessions.  I've changed all the defaulted RDP port to a custom port along with port forwarding to match the connection i.e. 1.1.1.1:5001 for pc1, :5002 for pc2 etc.  I know its a very bad setup but we are moving away from it very soon.  I believe these attacks are coming from these edge devices but I can't find a way to correlate the info I have to the device being used for the attacks.  If I can find the device I can try to apply another security around it to buy some time, and frankly I would like to know why the caller computer name is blank or saying mstsc for my own information.  At the minimal I Just need to find which entry point the attack is coming from.

Any suggestions?
Joe GIT personalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kenfcampCommented:
mstsc creates RDP sessions to the host
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc

Is there any chance this could be user error (forgotten password, wrong login etc)
0
Joe GIT personalAuthor Commented:
not possible.  The user is part time and I'm seeing hits around 1am, 4am etc.  Also there are other names being used besides this one users like the defaulted AD accounts I mentioned.  This is definitely an attack.
0
kenfcampCommented:
Try searching your logs for event-id 1149 (Terminal-services connection manager)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Joe GIT personalAuthor Commented:
Should I search this on the PDC?  or all the possible RDP end points they could be targeting?
0
kenfcampCommented:
World facing RDP ports is not a good idea in the least.

If you need it, I wouldn't consider it outside of perhaps a secure VPN connection
0
kenfcampCommented:
I'd check them all, or one at first to see if you find anything useful

If found, the event "should" provide user id (used) and connection information
0
Joe GIT personalAuthor Commented:
I absolutely agree that pc's should not be at the edge for RDP.  I inherent this from someone else, (#jobsecurity lol) I just need to buy a few more weeks to close them all out.  

Thanks.  I'll get back to you after I scan for that event.
0
kenfcampCommented:
The accepted solution to this post - https://www.experts-exchange.com/questions/28967041/How-to-see-Event-ID-1149-using-powershell-or-cmd-the-names-and-IPs-successfully-logged-in-my-remote.html - has a powershell script to export the information you're looking for.

It might help make things easier
0
Joe GIT personalAuthor Commented:
thanks.  This was helpful
0
kenfcampCommented:
You're more than welcome, I hope you get things worked out
0
Joe GIT personalAuthor Commented:
The information I'm seeing will allow me to move things along faster to remove the rdp endpoints sooner from the edge sooner.
1
kenfcampCommented:
Good to hear
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.