@zacharychristensen
Thanks for the response.
Are you ingesting logs from the source
IP that is causing the failures?
Yes, both windows security logs and sysmon logs. (from several workstations)
Also, are these attempts occurring
outside of normal business hours?
How frequent are they occurring?
They happen whenever the system is on, whether a user is logged in or not and about every 30 minutes. Also, they happen even if the system is booted in safemode (with networking).
I would always error on saying, yes,
provide more visibility through other
data sources,...
What would you recommend?
Is there any other anomalous activity
occurring with this device?
Not that we have noticed.
Have you scanned the device with an AV
scanner?
Yes, it comes back clean and the AV software also scans on access.
Does the device also have many local
login failures? (event 4625 I
believe).
No. And you are correct, EventID 4625.
Do you have endpoint protection
software installed on the device?
No.
Are there other devices that are
generating a similar error?
Yes. 2 other workstations. Of the 3 total workstations, 2 are used regularly (at the employee's desk) and one is used in a conference room but most of the time it is off unless I'm doing Windows updates to it.
Also, I don't know if it matters but this domain was originally a Windows 2003 domain that was not raised to 2008 domain level until 2018 and then 2012 domain level in 2019. The domain has never been recreated from scratch. (I.E. Potential misconfigurations could have been piling up for years.)
Thanks again
Edit: fixed formatting
... View more