Juneaucounty
asked on
Mulitple Events in Event Viewer
In Even Viewer we are seeing a ton of events like the example below. There are 20 or more a second. We are trying to find out where they are coming from and how to stop them. Any ideas and what else we can do? Is there software out there that would help us in looking for info on these? One of the things that is throwing us off is the username changes on every one of the events.
- System
- Provider
[ Name] Microsoft-Windows-Security -Auditing
[ Guid] {54849625-5478-4994-A5BA-3 E3B0328C30 D}
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2020-04-29T12:35:59.662914 700Z
EventRecordID 168057449
Correlation
- Execution
[ ProcessID] 704
[ ThreadID] 9872
Channel Security
Computer
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
TargetUserName tomcat
Workstation
Status 0xc0000064
- System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2020-04-29T12:35:59.662914
EventRecordID 168057449
Correlation
- Execution
[ ProcessID] 704
[ ThreadID] 9872
Channel Security
Computer
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_P
TargetUserName tomcat
Workstation
Status 0xc0000064
It's possible that somebody is trying to log on to the server with random usernames = you are attacked.
4776 = The domain controller attempted to validate the credentials for an account
0xC0000064 = The username you typed does not exist. Bad username.
4776 = The domain controller attempted to validate the credentials for an account
0xC0000064 = The username you typed does not exist. Bad username.
ASKER
This is what we are thinking. Our problem is we are not seeing anything for a source as to where it is coming from.
Is the server opened to outside? Can you block ports like 80, 443, and see if it stops?
How to troubleshoot it:
https://community.spiceworks.com/how_to/154561-tracking-failed-logon-attempts-and-lockouts-on-your-network
How to troubleshoot it:
https://community.spiceworks.com/how_to/154561-tracking-failed-logon-attempts-and-lockouts-on-your-network
ASKER
Here are two more examples if that helps.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000 00</Keywor ds>
<TimeCreated SystemTime="2020-04-29T12: 50:05.4749 84200Z" />
<EventRecordID>168058019</ EventRecor dID>
<Correlation />
<Execution ProcessID="704" ThreadID="6988" />
<Channel>Security</Channel >
<Computer>Moe2.JuneauCount y.local</C omputer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO FT_AUTHENT ICATION_PA CKAGE_V1_0 </Data>
<Data Name="TargetUserName">ELVI S</Data>
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</ Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Se
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2020-04-29T12:
<EventRecordID>168058019</
<Correlation />
<Execution ProcessID="704" ThreadID="6988" />
<Channel>Security</Channel
<Computer>Moe2.JuneauCount
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO
<Data Name="TargetUserName">ELVI
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</
</EventData>
</Event>
ASKER
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000 00</Keywor ds>
<TimeCreated SystemTime="2020-04-29T12: 50:11.0022 04500Z" />
<EventRecordID>168058022</ EventRecor dID>
<Correlation />
<Execution ProcessID="704" ThreadID="7092" />
<Channel>Security</Channel >
<Computer>Moe2.JuneauCount y.local</C omputer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO FT_AUTHENT ICATION_PA CKAGE_V1_0 </Data>
<Data Name="TargetUserName">DILL ON</Data>
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</ Data>
</EventData>
</Event>
- <System>
<Provider Name="Microsoft-Windows-Se
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000
<TimeCreated SystemTime="2020-04-29T12:
<EventRecordID>168058022</
<Correlation />
<Execution ProcessID="704" ThreadID="7092" />
<Channel>Security</Channel
<Computer>Moe2.JuneauCount
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSO
<Data Name="TargetUserName">DILL
<Data Name="Workstation" />
<Data Name="Status">0xc0000064</
</EventData>
</Event>
ASKER
We blocked those ports and it did not help. I do have our firewall setup to block all traffic in and out to other countries. I also tried the link you provided from Spiceworks and the reports didn't show anything.
Moe2.JuneauCounty.localIs it a source or target server?
ASKER
Target server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776