• Support
  • Forums
  • Blogs

Unable to find cause of Bruteforce alerts


New Life Form
Hi AV Community!

We've been having a ton of alerts generated from our exchange server. They are all "AlienVault HIDS: Logon Failure - Unknown user or bad password." alerts.

The alerts seem to indicate the server is failing a password attempt as the local system account against w3wp.exe which relates to IIS. Switching IIS off on this server stops the alerts so there's definitely something trying to authenticate there. The server uses OWA so leaving IIS off permanently isn't an option. I've been through all the windows logs and IIS logs and cannot find the authentication failure AV is detecting.

We have a second exchange server for load balancing which is identical to this one and isn't generating any alerts. Has anyone seen this before or have any ideas what's going on here?

We're updated AV to the latest version.


Raw log:

AV - Alert - "1530624734" --> RID: "18130"; RL: "5"; RG: "windows,win_authentication_failed,"; RC: "Logon Failure - Unknown user or bad
password."; USER: "(no user)"; SRCIP: "-"; HOSTNAME: "(exc-02)>WinEvtLog"; LOCATION: "(exc-02)>WinEvtLog";
EVENT: "[INIT]2018 Jul 03 14:31:56 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain:
EXC-02.domain.co.uk: An account failed to log on. Subject:  Security ID:  S-1-5-18  Account Name:  EXC-02$  Account Domain:  domain  Logon ID: 
0x3e7  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:    Account Domain:    Failure Information: 
Failure Reason:  %%2305  Status:   0xc0000193  Sub Status:  0xc0000193  Process Information:  Caller Process ID: 0x3228  Caller Process Name:
C:\Windows\System32\inetsrv\w3wp.exe  Network Information:  Workstation Name: EXC-02  Source Network Address: -  Source Port:  -  Detailed
Authentication Information:  Logon Process:  Authz     Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM only): -  Key
Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted.  [END]"; 

Share post:

Sign In or Register to comment.