Avatar of Juneaucounty
Juneaucounty
Flag for United States of America asked on

Mulitple Events in Event Viewer

In Even Viewer we are seeing a ton of events like the example below.  There are 20 or more a second.  We are trying to find out where they are coming from and how to stop them.  Any ideas and what else we can do?  Is there software out there that would help us in looking for info on these?  One of the things that is throwing us off is the username changes on every one of the events.  

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4776
 
   Version 0
 
   Level 0
 
   Task 14336
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2020-04-29T12:35:59.662914700Z
 
   EventRecordID 168057449
 
   Correlation
 
  - Execution

   [ ProcessID]  704
   [ ThreadID]  9872
 
   Channel Security
 
   Computer
 
   Security
 

- EventData

  PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  TargetUserName tomcat
  Workstation  
  Status 0xc0000064
PowershellSoftwareMicrosoft 365Windows Server 2012Active Directory

Avatar of undefined
Last Comment
Giovanni

8/22/2022 - Mon
Udara Peiris

Check this. You will be able to locate the reason behind that.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 
Hello There

It's possible that somebody is trying to log on to the server with random usernames = you are attacked.

4776 = The domain controller attempted to validate the credentials for an account
0xC0000064 = The username you typed does not exist. Bad username.
Juneaucounty

ASKER
This is what we are thinking.  Our problem is we are not seeing anything for a source as to where it is coming from.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Hello There

Is the server opened to outside? Can you block ports like 80, 443, and see if it stops?

How to troubleshoot it:
https://community.spiceworks.com/how_to/154561-tracking-failed-logon-attempts-and-lockouts-on-your-network
Juneaucounty

ASKER
Here are two more examples if that helps.  

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4776</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>14336</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8010000000000000</Keywords>
  <TimeCreated SystemTime="2020-04-29T12:50:05.474984200Z" />
  <EventRecordID>168058019</EventRecordID>
  <Correlation />
  <Execution ProcessID="704" ThreadID="6988" />
  <Channel>Security</Channel>
  <Computer>Moe2.JuneauCounty.local</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
  <Data Name="TargetUserName">ELVIS</Data>
  <Data Name="Workstation" />
  <Data Name="Status">0xc0000064</Data>
  </EventData>
  </Event>
Juneaucounty

ASKER
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4776</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>14336</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8010000000000000</Keywords>
  <TimeCreated SystemTime="2020-04-29T12:50:11.002204500Z" />
  <EventRecordID>168058022</EventRecordID>
  <Correlation />
  <Execution ProcessID="704" ThreadID="7092" />
  <Channel>Security</Channel>
  <Computer>Moe2.JuneauCounty.local</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
  <Data Name="TargetUserName">DILLON</Data>
  <Data Name="Workstation" />
  <Data Name="Status">0xc0000064</Data>
  </EventData>
  </Event>
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Juneaucounty

ASKER
We blocked those ports and it did not help.  I do have our firewall setup to block all traffic in and out to other countries.  I also tried the link you provided from Spiceworks and the reports didn't show anything.
Hello There

Moe2.JuneauCounty.local
Is it a source or target server?
Juneaucounty

ASKER
Target server.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Giovanni

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.