asked on
Workgroup Share Audit Failure : Unknown user name of bad password
I have a large windows 10 workgroup with one of the machines sharing files. The user accounts on the local workstations are replicated on the "server", but with different passwords. There are shares set up on the Win 10 "server" and Everyone is given Full Control. The user accounts local to the server are given permissions to the shared folders' acl using NTFS. Shares on the "server" are mapped to the local machines using different credentials.
All has been well for a very long time.
Recently, an individual has started getting logon failures that seemed to have begun when her password was changed both on her workstation, and on the server, (this has been successfully done to a couple of others so far) then the mapped drives were disconnected and re-created using the new different credentials.
The first time the errors started occurring, I verified settings on the server, went to the workstation, and repeated the process carefully, drives mapped correctly, restarted the machine, logged on to see drive mappings still there, opened a few folders on each drive, and then checked the security logs on the "server" again, SUCCESS all around. TGIF!
Then comes Monday, and the Security log is inundated again.
I've gone through this scenario twice. The user involved is able to access files on the share, but at very slow speeds.
The Event ID is 4625 and the logon is incrementing the source port by one in each successive attempt.
I have Webroot monitoring the machines, so I don't believe it's malicious. What's the best course of action for tracking this down?
This is the Event xml code from a single Audit Failure:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2019-12-23T14:
<EventRecordID>100297783</
<Correlation ActivityID="{9dd5667a-b6c5
<Execution ProcessID="716" ThreadID="764" />
<Channel>Security</Channel
<Computer>”Server”</Comput
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
<Data Name="SubjectUserName">-</
<Data Name="SubjectDomainName">-
<Data Name="SubjectLogonId">0x0<
<Data Name="TargetUserSid">S-1-0
<Data Name="TargetUserName">User
<Data Name="TargetDomainName">US
<Data Name="Status">0xc000006d</
<Data Name="FailureReason">%%231
<Data Name="SubStatus">0xc000006
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Nt
<Data Name="AuthenticationPackag
<Data Name="WorkstationName">USE
<Data Name="TransmittedServices"
<Data Name="LmPackageName">-</Da
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data
<Data Name="ProcessName">-</Data
<Data Name="IpAddress">192.168.2
<Data Name="IpPort">61707</Data>
</EventData>
</Event>
All has been well for a very long time.
Recently, an individual has started getting logon failures that seemed to have begun when her password was changed both on her workstation, and on the server, (this has been successfully done to a couple of others so far) then the mapped drives were disconnected and re-created using the new different credentials.
The first time the errors started occurring, I verified settings on the server, went to the workstation, and repeated the process carefully, drives mapped correctly, restarted the machine, logged on to see drive mappings still there, opened a few folders on each drive, and then checked the security logs on the "server" again, SUCCESS all around. TGIF!
Then comes Monday, and the Security log is inundated again.
I've gone through this scenario twice. The user involved is able to access files on the share, but at very slow speeds.
The Event ID is 4625 and the logon is incrementing the source port by one in each successive attempt.
I have Webroot monitoring the machines, so I don't believe it's malicious. What's the best course of action for tracking this down?
This is the Event xml code from a single Audit Failure:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2019-12-23T14:
<EventRecordID>100297783</
<Correlation ActivityID="{9dd5667a-b6c5
<Execution ProcessID="716" ThreadID="764" />
<Channel>Security</Channel
<Computer>”Server”</Comput
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
<Data Name="SubjectUserName">-</
<Data Name="SubjectDomainName">-
<Data Name="SubjectLogonId">0x0<
<Data Name="TargetUserSid">S-1-0
<Data Name="TargetUserName">User
<Data Name="TargetDomainName">US
<Data Name="Status">0xc000006d</
<Data Name="FailureReason">%%231
<Data Name="SubStatus">0xc000006
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Nt
<Data Name="AuthenticationPackag
<Data Name="WorkstationName">USE
<Data Name="TransmittedServices"
<Data Name="LmPackageName">-</Da
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data
<Data Name="ProcessName">-</Data
<Data Name="IpAddress">192.168.2
<Data Name="IpPort">61707</Data>
</EventData>
</Event>
Windows 10WebrootWindows OSSecurityRansomware
Last Comment
vernaldrich