I have a server with a local administrator (is not part of the domain). Each second, our Active Directory register 8-10 failed login attempts with that user. Obviously the event generated is correct since that local username does not exist in AD.
So, I tried to identify wich process/service tries to connect with AD like 2000 - 3000 times in a day but the event log detail does not have any reference.
BTW, we have contracted a Managed Security Services to correlate events trouhg SIEM solution. These people says this failed attempts are security events but they dont have any idea of what could be (Im sure that this isnt an intrusion, hacking attempt). Since Im not an expert and the MSS didnt have an answer, I will apreciate any actions that you could recomend me.
The log is always the same, I paste the XML file.
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2013-12-02T20:33:36.370882500Z
EventRecordID 520119383
Correlation
- Execution
[ ProcessID] 532
[ ThreadID] 584
Channel Security
Computer ADexample.com
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-0-0
TargetUserName localserverusername
TargetDomainName serverexample
Status 0xc000006d
FailureReason %%2313
SubStatus 0xc0000064
LogonType 3
LogonProcessName NtLmSsp
AuthenticationPackageName NTLM
WorkstationName serverexample
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress -
IpPort -
<