1

I have a domain controller installed in my home office, 1 domain controller, 1 PC, 1 user. I'm running Microsoft Server 2019. When I look in the Security Event log, I see thousands of Logon (Event ID 4624), Logoff (Event ID 4634 and Special Logon (Event ID 4672) events - hundreds per hour being generated.

A sample logon event (Event ID 4624):

Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0

Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes

Impersonation Level: Delegation

New Logon: Security ID: SYSTEM Account Name: DC$ Account Domain: ACME.LTD Logon ID: 0x234F28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: -

I've researched these and online and found conflicting advice, including suggesting that the server is compromised, that the network is compromised, that this is from workstations access the server and that these are the server authenticating against itself.

The latter is why on a hunch, I cleared the logs and disconnected the server from the network - these events carried on being generated.

Frustratingly, with all this noise I have no way of spotting actual suspicious errors.

Any help would be appreciated!!

Mr Fett
  • 127
  • 3
  • My question got down-voted twice immediately but with no comments. Any advice on what I'm doing wrong would be appreciated!! – Mr Fett May 12 '22 at 20:37
  • I didnt downvoted, but on SF labbing quesiton are offtopic, we got a lot of such, but your question is good/can be valid in a business, but the fact you state lab/home in your first sentence make you target to such. – yagmoth555 May 13 '22 at 13:03
  • Such security event can be logged if a service or something installed locally try to run but with a bad credential, or if you did a domain, but a replication partner can't sync. – yagmoth555 May 13 '22 at 13:09
  • Thank you @yagmoth555 , I should probably have been clearer - this actually is a business (I run a consultancy) but its just one user (me) as a start-up! This is a challenging problem because I am trying to 'train' a SIEM solution for a customer but these sort of events give false positives (every few seconds!!). – Mr Fett May 13 '22 at 13:29
  • Even more confusing, from research it appears that Logon Type: 3 is a network login but these occured when the network was disconnected. – Mr Fett May 13 '22 at 13:32
  • It mean a service pool localhost or 127.0.0.1, I would disable anything not MS for all service to pinpoint what service cause you that – yagmoth555 May 13 '22 at 17:16
  • i am 7nsure but maybe [my powershell script](https://github.com/djdomi/Powershell-Scripts/blob/1f5cee3df801889558bc3dd0d06d0caec6eb40ff/powershell_announce_failed_logins.ps1) could help as it shows the port and ip – djdomi May 13 '22 at 17:37

0 Answers0