Access to Administrator account from unknown computer names

Salve

1/13/23, 12:01 PM

For a few weeks all our DCs has received thousands of failed logins for "Administrator". Event viewer logs below messages, NOTE we have no computers or servers on the network with the names, they seem very generic. We have tried to trace the connections but ProcessMonitor, Antimalware, internal ports etc shows nothing. Anyone with ideas how to trace this further?

EventID: 4776 Type: NETWORK

Logon Account:  Administrator
Source Workstation: Windows2016
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Administrator
Source Workstation: FreeRDP
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Administrator
Source Workstation: Windows2012
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Administrator
Source Workstation: Windows10
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.```

127

0 + 0

networking

security

windows

active-directory

Semicolon

1/13/23, 2:09 PM

What AD-integrated service do you have open to the internet? OWA? Remote Desktop?

Salve

1/14/23, 12:56 PM

None as far as I know, that's why we need to investigate where it is coming from

Alex

1/24/23, 7:41 AM

I second Mr. Semicolon: it looks like some Internet-exposed service that is being brute forced. Maybe RDP-related. If you have Windows logs from your servers, try to look for failed logon attempts (4625) - on the server itself that is being brute forced, there should be such event ideally.

Score:1

Server

Abu Zaid

1/14/23, 7:55 PM

You can run Wireshark on the server, and then look for Kerberos traffic. This will be a time consuming approach if you have lots of servers in the Domain.

0 + 0

Salve

1/15/23, 2:17 PM

I have a few hundred servers, and a few thousand users so the Wireshark log "explodes" if I can't be more specific

Abu Zaid

1/15/23, 6:01 PM

In the Filter, exclude your trusted Networks, say you have all Production servers in 10.0.0.0/16 Network, remove them from capture. Or do it the other way, start with smaller subnets, and then rule them out one by one. It is not going to be something simple, it will take time and effort to track it down via Wireshark. You will need to take time stamp Eventlog, and then look at the relevant time frame in Wireshark. If you have budget, you can also try 3rd Party tools like ManageEngine have ADAudit Plus, which I haven't tried myself for this Event ID.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Access to Administrator account from unknown computer names

TH: เข้าถึงบัญชีผู้ดูแลระบบจากชื่อคอมพิวเตอร์ที่ไม่รู้จัก

RO: Acces la contul de administrator de la nume de computer necunoscute

RU: Доступ к учетной записи администратора с неизвестных имен компьютеров

VI: Truy cập vào tài khoản Quản trị viên từ tên máy tính không xác định

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.