NT AUTHORITY\SYSTEM is pinging to a certain site everytime RRS feed

  • Question

  • Hi everyone,

    i was just going through the security logs for one of my DCs and another production server.

    I noticed that the two are pinging 

    ping  -n 1 qHLbK646467636130646333.windows64x.com
    ping  -n 1 a7MNc6464676361fhjdfsjjd3.windows64x.com
    ping  -n 1 ZMlsC646467636130646333.windows64x.com

    and so on

    according to the log

    <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>Information</Level><Task>Process Creation</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2019-05-14T07:41:00.636245700Z'/><EventRecordID>465204617</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='8928'/><Channel>Security</Channel><Computer>@Domain</Computer><Security/></System><EventData>A new process has been created.

    Creator Subject:
    Account Name: DC3$
    Account Domain: @Domain
    Logon ID: 0x3E7

    Target Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Process Information:
    New Process ID: 0x114c
    New Process Name: C:\Windows\System32\PING.EXE
    Token Elevation Type: %%1936
    Mandatory Label: Mandatory Label\System Mandatory Level
    Creator Process ID: 0x13a4
    Creator Process Name: C:\Windows\System32\cmd.exe
    Process Command Line: ping  -n 1 qHLbK646467636130646333.windows64x.com

    Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

    Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

    Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

    Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.</EventData></Event>

    Tuesday, May 14, 2019 9:22 AM

All replies

  • A whois on that domain name yields the following:
    Name: Domain Admin
    Organization: Privacy Protect, LLC (PrivacyProtect.org)

    So, it's privately registered.

    DNS yields nothing at this point, so the ping attempt would probably fail...for now...until someone decided to bring something online.  Without being able to resolve to an IP address you couldn't block the traffic through a network Firewall.

    It may be Microsoft building something into the operating system for future use; I know they have been discussing making windows an online only OS to further the goal of turning windows into a service.

    To play the devils advocate, alternatively it could be something malicious having been embedded into the OS as part of an APT.  I would be curious if you or others could corroborate the same log entries from known clean installations and/or other environments.

    If you are truly paranoid about it and you run your own DNS, you could create a set of static DNS records (A, MX, etc.) for that domain name with a loopback address in both IPv4 and IPv6 space - which should prevent future resolution success if the original registers ever bring anything online using that domain name.

    The solution is always the last thing you look at... -M

    Tuesday, May 14, 2019 1:57 PM
  • Thanks for the reply.

    I forgot to mention that i did a whois search and got the same result as u did.

    and regarding that it could be Microsoft, it could. However since only two machines are behaving this way it looks a bit suspicious.

    I contacted privacy protect, will wait and see.

    Thanks alot.

    Wednesday, May 15, 2019 7:36 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    Thank you for your update. If we have any updates, please update here. Thank you for your time and sharing in advance!

    Have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 15, 2019 9:01 AM
  • 2 machines out of how many?

    Are those 2 machines the same level of OS and if so are they unique compared to the other windows instances in your environment?  (ie. are those the only 2 Server 2019 instances in an environment primarily 2016 and earlier...?)

    Are there any feature sets installed on those 2 machines that are common between them but unique to the remainder of the environment?

    The reason I ask is that this may be the byproduct of a Windows feature that may not be included in a vanilla installation or earlier versions.  I know that Windows 2019 includes feature-functionality that is heavily geared towards cloud connect which could explain what looks like heartbeat communications.

    I also did a quick general Google search for Windows64x.com (thinking someone else may have had the same question you did -which I did NOT find) and found Windows64.com (minus the x), also registered to the same private registration company (brand protection?) and after looking around through that site I would be willing to bet lunch and a case of beer that it is not owned/operated by Microsoft at all.
    First of all, Microsoft has no problems publishing the fact that they own a domain.  Typically a Microsoft domain will be registered by Microsoft publically without any obfuscation at ICANN.
    Secondly, the Windows64.com domain behaves more like a click-bait destination with advertising, what equates to 'Windows for Dummies' type of articles and no meaningful links aside from that.

    (Again, block that S*1t with a fake DNS entry and shut down any traffic from leaving your environment. That's what I'm going to do after this conversation.  At least until I see a need to do otherwise.)

    I would be interested to see if any Microsoft Employee perusing these posts might have knowledge of this behavior and can better explain it...

    P.S. I've double-checked one of my DCs and I do not find any instance of eventID 4688 in the Event Viewer security logs...

    The solution is always the last thing you look at... -M

    Wednesday, May 15, 2019 6:57 PM
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 9:06 AM
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns, please don't hesitate to let us know. 
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 20, 2019 2:16 AM