TLDR: Windows Server logs shows successful login with a disabled Guest account. Can someone explain this activity?
In our SIEM, I saw the following event below from our Windows 2016 Server (not a DC).
{
"TimeCreated":"2023-05-19T16:09:24.690239100Z",
"EventID":"4624",
"Task":12544,
"Correlation":
{
"ActivityID":"{35d37f4c-fa11-4b8b-a9f3-b622a0c3206f}"
},
"Keywords":"Audit Success",
"Channel":"Security",
"Opcode":"Info",
"Security":"",
"Provider":
{
"Guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name":"Microsoft-Windows-Security-Auditing"
},
"EventRecordID":1047382761,
"Execution":
{
"ThreadID":3388,
"ProcessID":712
},
"Version":2,
"Computer":"Win Server 2016",
"Level":"Information",
"EventData":
{
"WorkstationName":"workstation 1",
"TargetDomainName":"NT AUTHORITY",
"VirtualAccount":"%%1843",
"SubjectUserSid":"S-1-0-0",
"TargetOutboundDomainName":"-",
"LogonProcessName":"NtLmSsp",
"TargetLinkedLogonId":"0x0",
"ImpersonationLevel":"%%1833",
"TargetUserName":"ANONYMOUS LOGON",
"TargetUserSid":"S-1-5-7",
"IpAddress":"10.5.5.5",
"ProcessId":"0x0",
"KeyLength":"128",
"ProcessName":"-",
"SubjectUserName":"-",
"LogonType":"3",
"TargetOutboundUserName":"-",
"TransmittedServices":"-",
"LogonGuid":"{00000000-0000-0000-0000-000000000000}",
"SubjectLogonId":"0x0",
"ElevatedToken":"%%1843",
"RestrictedAdminMode":"-",
"TargetLogonId":"0x230fd0bae",
"IpPort":"57627",
"AuthenticationPackageName":"NTLM",
"LmPackageName":"NTLM V1",
"SubjectDomainName":"-"
},
"Message":"An account was successfully logged on."
}
From the image above here is what I'm observing:
- Successful login noted via eventid 4624
- Username used to login was Anonymous logon as indicated by SID S-1-5-7
- The redacted Ip address in this case is internal (not an external address)
- Logon type is 3 indicating a network type of logon
- The redacted "Computer" in this case is the server that produced this event. This is the server that's being logged into. This isn't an AD server.
- The redacted WorkstationName, from my digging, is a laptop.
From there, I did some additional research as to why I'm seeing "successful" anonymous logins and ran into this article. The article states that an anonymous logon from an external address to a server that has RDP or SMB open publicly could potentially be benign.
Liste below are some differences from the article and some findings I've had post review:
- The server is not open to the public and the source address is internal
- I was not able to find corresponding event id 4625s
- I was able to find some corresponding 4624s with \domain\username but the numbers don't match. For example, I have 10 event id 4624 with anonymous logon but only 5 eventid 4624 with actual \domain\username that line up with the date/time. This means that there are 5 other eventid 4624s that don't have \domain\username.
The question is, does anyone have an explanation of this activity?