从未知计算机名称访问管理员帐户

从未知计算机名称访问管理员帐户

几周以来,我们所有的 DC 都收到了数千次“管理员”登录失败。事件查看器记录了以下消息,请注意,网络上没有使用这些名称的计算机或服务器,它们看起来很普通。我们尝试跟踪连接,但 ProcessMonitor、反恶意软件、内部端口等没有显示任何内容。有人知道如何进一步跟踪吗?

事件 ID:4776 类型:网络

Logon Account:  Administrator
Source Workstation: Windows2016
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Administrator
Source Workstation: FreeRDP
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Administrator
Source Workstation: Windows2012
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  Administrator
Source Workstation: Windows10
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.```

答案1

您可以在服务器上运行 Wireshark,然后查找 Kerberos 流量。如果域中有很多服务器,这种方法会非常耗时。

相关内容