Sporadic attempts at different intervals on users passwords but Event 4740 - Caller Computer Name is blank or labeled with MSTSC

Joe G
Joe G used Ask the Experts™
on
Seeing sporadic attempts at different intervals on users passwords but Event 4740 - Caller Computer Name is blank or labeled with MSTSC.  Need to find out which pc is being targeted or where it's coming from.  

What I know is;
MSTSC is not a PC name in our network, it is however the command for Remote Desktop but not a pc name.
There are three types of usernames the attack is targeting.  Some of the attempts are on defaulted AD users; administrator and backupuser
Other attempts are on non defaulted AD users like ITtech, itsupport, etc.
Only one non IT or defaulted AD user name is appearing in the lockouts which I'm tracking down to see where this person was and what device they are using.

My environment is I have a few PC's exposed to the internet for RDP sessions.  I've changed all the defaulted RDP port to a custom port along with port forwarding to match the connection i.e. 1.1.1.1:5001 for pc1, :5002 for pc2 etc.  I know its a very bad setup but we are moving away from it very soon.  I believe these attacks are coming from these edge devices but I can't find a way to correlate the info I have to the device being used for the attacks.  If I can find the device I can try to apply another security around it to buy some time, and frankly I would like to know why the caller computer name is blank or saying mstsc for my own information.  At the minimal I Just need to find which entry point the attack is coming from.

Any suggestions?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
mstsc creates RDP sessions to the host
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc

Is there any chance this could be user error (forgotten password, wrong login etc)
Joe GIT personal

Author

Commented:
not possible.  The user is part time and I'm seeing hits around 1am, 4am etc.  Also there are other names being used besides this one users like the defaulted AD accounts I mentioned.  This is definitely an attack.
Try searching your logs for event-id 1149 (Terminal-services connection manager)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Joe GIT personal

Author

Commented:
Should I search this on the PDC?  or all the possible RDP end points they could be targeting?
World facing RDP ports is not a good idea in the least.

If you need it, I wouldn't consider it outside of perhaps a secure VPN connection
I'd check them all, or one at first to see if you find anything useful

If found, the event "should" provide user id (used) and connection information
Joe GIT personal

Author

Commented:
I absolutely agree that pc's should not be at the edge for RDP.  I inherent this from someone else, (#jobsecurity lol) I just need to buy a few more weeks to close them all out.  

Thanks.  I'll get back to you after I scan for that event.
The accepted solution to this post - https://www.experts-exchange.com/questions/28967041/How-to-see-Event-ID-1149-using-powershell-or-cmd-the-names-and-IPs-successfully-logged-in-my-remote.html - has a powershell script to export the information you're looking for.

It might help make things easier
Joe GIT personal

Author

Commented:
thanks.  This was helpful
You're more than welcome, I hope you get things worked out
Joe GIT personal

Author

Commented:
The information I'm seeing will allow me to move things along faster to remove the rdp endpoints sooner from the edge sooner.
Good to hear

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial