幾週以來,我們所有的 DC 都收到了數千次「管理員」登入失敗的訊息。事件檢視器記錄以下訊息,請注意,網路上沒有具有這些名稱的電腦或伺服器,它們看起來非常通用。我們嘗試追蹤連接,但 ProcessMonitor、反惡意軟體、內部連接埠等沒有顯示任何內容。有人有想法如何進一步追蹤嗎?
事件 ID:4776 類型:網絡
Logon Account: Administrator
Source Workstation: Windows2016
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: FreeRDP
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: Windows2012
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: Windows10
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.```
答案1
您可以在伺服器上執行 Wireshark,然後尋找 Kerberos 流量。如果網域中有很多伺服器,這將是一種耗時的方法。