Successful 4624 Anonymous Logons to Windows Server from External IPs?

If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authentication package of NTLM, NTLMSSP, don't be alarmed - this is not an indication of a successful logon+access of your system even though it's logged as a 4624.


If your server has RDP or SMB open publicly to the internet you may see a suite of these logs on your server's event viewer. Although these are showing up as Event ID 4624 (which generally correlates to successful logon events), these are NOT successful access to the system without a correlating Event ID 4624 showing up with an Account Name \\domain\username and a type 10 logon code for RDP or a type 3 for SMB. You can double check this by looking at 4625 events for a failure, within a similar time range to the logon event for confirmation.

The reason for this is because when a user initiates an RDP or SMB connection, the connection via RDP/SMB will be logged as a successful connection, BEFORE the user is prompted to enter their password. This means a successful 4624 will be logged for type 3 as an anonymous logon. When the user enters their credentials, this will either fail (if incorrect with 4625) or succeed showing up as another 4624 with the appropriate logon type and a username.


EXAMPLE: 4624 Type 3 - ANONYMOUS LOGON - SMB
To simulate this, I set up two virtual machines - one Windows 10, and one Windows Server 2016.

I attempted to connect to SMB via the net use command to the server:

You can see this has been denied. I log into the Server 2016 to check out the event logs and can see it's appearing as a 4624 SUCCESSFUL logon type 3.



EXAMPLE: 4624 Type 3 - ANONYMOUS LOGON - RDP
To simulate this, I set up two virtual machines - one Windows 10, and one Windows Server 2016.

I attempted to connect to RDP via the desktop client to the server and you can see this failed, but a 4624 event has also been logged under type 3 ANONYMOUS LOGON. This is because even though it's over RDP, I was logging on over 'the internet' aka the network. 


Comments

  1. Great article, very useful and explanation. Your post is extremely incredible, I agree with your point of view of this article. and if anyone looking to buy rdp online, visit here Adminrdp.com for more information.

    ReplyDelete
  2. Hello friends .., this is Anil Chejara (software developer). In this video tutorial, I will explain, How to Download Original Windows 10 and Windows 10 Pro. Windows 10 is a very popular operating system because of its own feature, user-friendly, supporting system, security purpose, and many more. now currently mostly users used the window 10 operating system for laptops and desktops.

    ReplyDelete
  3. Hello, Thanks for great article.
    I have a question I am not sure if it is related to the article.
    I can see NTLM v1 used in this scenario. Do you think if we disable the NTLM v1 will somehow avoid such attacks?

    ReplyDelete
  4. Windows 10 will include universal Office apps, Microsoft is creating universal Office apps that will be touch-friendly and run on all devices, Future Windows Phones & Windows tablets will come with Office apps preinstalled. windows 10 vps

    ReplyDelete
  5. it is a great article. i hope i will get more information from here,i have followed
    a webisite,whice are best buy google reviews website click
    buy google reviews for know
    more

    ReplyDelete

  6. Nice post. I used to be checking constantly this blog and I am impressed! Extremely useful info particularly the ultimate section 🙂 I take care of such information a lot. I was seeking this certain information for a long time. Thank you and best of luck.
    Report writing on blood donation camp

    ReplyDelete
  7. Thanks for Sharing..Keep Update…

    Web Hosting is the process of buying space for a website on the World Wide Web.

    What is Web Hosting
    Web Hosting for Beginners

    ReplyDelete
  8. ] This is why, sometimes, the authorities may consider conducting another test known as a gas chromatography test, which is used to detect traces of THC in your system.Hair follicle tests employ two steps. The immunoassay (ELISA) test is followed by the GC-MS test. The first inch and half of a strand of hair are screened for the test. This test works slower than the urine test and might also end up showing false positives.A blood test for weed can be highly effective, as long the authorities have the right equipment for it. Visit: https://www.urineworld.com/

    ReplyDelete

Post a Comment

Popular posts from this blog

Office365 Attacks: Bypassing MFA, Achieving Persistence and More

Backdoor Office 365 and Active Directory - Golden SAML