locked
Non-existing account attempted logon from Unresolved computer account RRS feed

  • Question

  • Hi 

    I have activities where user logons that are non existent in our domain tries to logon from a computer account that is unresolved. 

    I have checked the AD and the computer account "MSTSC" doesn't exists. They try to login with NTLM authentication so we think its a non domain joined computer that is doing this. The hard part is that ATA doesn't show the source IP / Mac address for the computer account. So we are unable to go further with ATA. 

    Is there a way to check in the MongoDB if there is more information there? 

    Its not a day to day activity and it can be a week or more between the login attempts.

    Best regards 

    Peter

    Wednesday, October 24, 2018 11:03 AM

All replies

  • This is a known issue, where when are looking at NTLM events ATA is recording the name of the computer incorrectly.

    MSTSC is not the name of the computer, it was just the name of the software mstsc.exe. we considered it as a computer because of the details we have in 4776 event.

    Since it's not coming from network traffic, we don't have the source IP.

    You can look at the event 4776 on the DC itself, but I am not sure if you will be able to see more data there,

    I think we extract whatever we can from it already.

    Wednesday, October 24, 2018 3:22 PM
  • Thanks for the response Eli.

    I will look at the logs from the DC and see if I can see more. Not much hope though.

    Thursday, October 25, 2018 6:01 AM
  • Would leveraging NTLM audit logs such as eventid 8004 help at all? And if so, could Microsoft include this in the ATA event collection?
    Wednesday, February 13, 2019 7:41 PM