This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 9%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESV%3C/text%3E%3C/svg%3E)
I am receiving constant 4625 event log failures in my machine every 10 minutes. The machine lies under the firewall with RDP enabled in it. When I try to check the account name and domain, it is showing as I mentioned in the example i.e If the audit failure is from my domain user account, it should show the username and domain information. But in my case, it is completely different with the different username with numerous characters in it. Kindly suggest a probable reason for this issue. I suspect it may be a brute force attack from outside.
Date Time:14-12-2020 13:26:01
Event Source: Microsoft-Windows-Security-Auditing
Event Category: 12544
Event Type: Information
Event ID: 4625
Event Log Name: HardwareEvents
User: N/A
Computer: *******Hidden for security reasons*******
Description:
An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: *******Hidden for security reasons*******
Account Domain: *******Hidden for security reasons*******
Logon ID: 0x3e7
Logon Type: Advapi
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAYDAxAQNAgDAxAgQAcDA1AQLAYDAGBQMAIEAtAANAcDAEBwQA0CACBwNAgDADBQLAUEAyAQOAEDABBAOAcDA2AwNAMEA4AQMA0HA
Account Domain: 0xc000006d
Failure Information:
Failure Reason: 0xc0000064
Status: %%2313
Sub Status: 4
Process Information:
Caller Process ID: C:\Windows\System32\svchost.exe
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: NT AUTHORITY\SYSTEM
Detailed Authentication Information:
Logon Process: Negotiate
Authentication Package: DOWNLOADER
Transited Services: -
Package Name (NTLM only): 0
Key Length: 0x894
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 73%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESQ%3C/text%3E%3C/svg%3E)
Hi,
Just checking in to see if the information provided was helpful.
If yes, you may accept useful reply as answer, if not, welcome to feedback.
Best Regards,
Sunny
Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Sunny
Hi @Spellbound vfx ,
Thanks for posting in Q&A platform.
Based on provided info, as a workaround I would suggest to perform NTLM policy control to completely prevent LM response. Please refer to the detailed steps as below to see if the issue can be resolved:
Firstly, please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: LAN Manager authentication level-->set to Send NTLMv2 response only
And then please locate to Local Security Policy-->Local Policy-->Security Options-->Network security: Restrict NTLM: Incoming NTLM traffic-->set to Deny all accounts
Best Regards,
Sunny
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 8%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Network Sercurity: Restrict NTLM: Incoming NTLM Traffic.. Block RDP connection. and will Error CredSSP encryption oracle remediation..