An attack I have never seen and need help with


  • Hi Fellow Microsoft Admins,

    We have apparently been invaded by a strange piece of malware that cut through Symantec Enterprise (SEP) like it was not even there - SEP has been effective historically.  It looks like a DDOS attack which also tries to accomplish a log in using an old NTLM Null SID!!  Null SIDs attacks have not been effective for years!  

    It runs for about a second with about 15 login attempts then the attack switches to another source machine. All of these machines try to attack (log in to) our main file  It knows user names and machine names  from AD and uses one then the other to attempt to login.  Scans from multiple anti-virus can find nothing(malware bytes and SEP).  See sample event 4625 below:

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Can't  publish
    Account Domain:        Can't  publish

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc0000064

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: LT9503
    Source Network Address:
    Source Port: 65072

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    Any ideas or help will be much appreciated!


    Thursday, December 6, 2018 7:50 PM

All replies