I'm dealing with some frustrating logon failures in Windows and need some help. I'm seeing repeated Event ID 4625 logon failures where one machine keeps trying to authenticate to another using a specific local account (let's call it 'USER'). The attempts fail every few seconds, and the error message says "Unknown username or bad password" with a Logon Type of 3. So far, I've checked the services, scheduled tasks, and the Credential Manager but didn't find any saved credentials. I've also enabled process creation and network auditing, but I still can't figure out which process is making these authentication attempts. I'm looking for recommendations on tools or techniques—like Sysmon, ProcMon, TCPView, Wireshark, etc.—that could help me pinpoint the exact process responsible for these logon attempts. Any tips would be greatly appreciated!
2 Answers
Have you figured out which machine is sending the authentication requests? It might help narrow down where the issue is originating from.
Where are you gathering your logs for analysis? I got an alert from Wazuh on machine 03, which indicated the logon failure attempt. After that, I checked the Event Viewer manually. I’ve also installed the Splunk Universal Forwarder on both machine 03 and 05 to help with the logs, which might shed some light on what's happening.
Yes, I found that PBRS05USER is trying to authenticate to PBRS03. PBRS03 is machine 1 (IP: 0.33), and PBRS05 is machine 2 (IP: 0.55), with 'USER' being the account in PBRS05.