几周以来,我们所有的 DC 都收到了数千次“管理员”登录失败。事件查看器记录了以下消息,请注意,网络上没有使用这些名称的计算机或服务器,它们看起来很普通。我们尝试跟踪连接,但 ProcessMonitor、反恶意软件、内部端口等没有显示任何内容。有人知道如何进一步跟踪吗?
事件 ID:4776 类型:网络
Logon Account: Administrator
Source Workstation: Windows2016
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: FreeRDP
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: Windows2012
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: Windows10
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.```
答案1
您可以在服务器上运行 Wireshark,然后查找 Kerberos 流量。如果域中有很多服务器,这种方法会非常耗时。