asked on Mulitple Events in Event Viewer
In Even Viewer we are seeing a ton of events like the example below. There are 20 or more a second. We are trying to find out where they are coming from and how to stop them. Any ideas and what else we can do? Is there software out there that would help us in looking for info on these? One of the things that is throwing us off is the username changes on every one of the events.
- System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2020-04-29T12:35:59.662914
EventRecordID 168057449
Correlation
- Execution
[ ProcessID] 704
[ ThreadID] 9872
Channel Security
Computer
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_P
TargetUserName tomcat
Workstation
Status 0xc0000064
- System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2020-04-29T12:35:59.662914
EventRecordID 168057449
Correlation
- Execution
[ ProcessID] 704
[ ThreadID] 9872
Channel Security
Computer
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_P
TargetUserName tomcat
Workstation
Status 0xc0000064
PowershellSoftwareMicrosoft 365Windows Server 2012Active Directory
Last Comment
Giovanni
It's possible that somebody is trying to log on to the server with random usernames = you are attacked.
4776 = The domain controller attempted to validate the credentials for an account
0xC0000064 = The username you typed does not exist. Bad username.
4776 = The domain controller attempted to validate the credentials for an account
0xC0000064 = The username you typed does not exist. Bad username.
ASKER
This is what we are thinking. Our problem is we are not seeing anything for a source as to where it is coming from.
Is the server opened to outside? Can you block ports like 80, 443, and see if it stops?
How to troubleshoot it:
https://community.spiceworks.com/how_to/154561-tracking-failed-logon-attempts-and-lockouts-on-your-network
How to troubleshoot it:
https://community.spiceworks.com/how_to/154561-tracking-failed-logon-attempts-and-lockouts-on-your-network
ASKER
Here are two more examples if that helps.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Se
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2020-04-29T12:
<EventRecordID>168058019</
<Correlation />
<Execution ProcessID="704" ThreadID="6988" />
<Channel>Security</Channel
<Computer>Moe2.JuneauCount
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO
<Data Name="TargetUserName">ELVI
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Se
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2020-04-29T12:
<EventRecordID>168058019</
<Correlation />
<Execution ProcessID="704" ThreadID="6988" />
<Channel>Security</Channel
<Computer>Moe2.JuneauCount
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO
<Data Name="TargetUserName">ELVI
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</
</EventData>
</Event>
ASKER
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Se
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2020-04-29T12:
<EventRecordID>168058022</
<Correlation />
<Execution ProcessID="704" ThreadID="7092" />
<Channel>Security</Channel
<Computer>Moe2.JuneauCount
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO
<Data Name="TargetUserName">DILL
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</
</EventData>
</Event>
- <System>
<Provider Name="Microsoft-Windows-Se
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2020-04-29T12:
<EventRecordID>168058022</
<Correlation />
<Execution ProcessID="704" ThreadID="7092" />
<Channel>Security</Channel
<Computer>Moe2.JuneauCount
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO
<Data Name="TargetUserName">DILL
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</
</EventData>
</Event>
ASKER
We blocked those ports and it did not help. I do have our firewall setup to block all traffic in and out to other countries. I also tried the link you provided from Spiceworks and the reports didn't show anything.
Moe2.JuneauCounty.localIs it a source or target server?
ASKER
Target server.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776