We've been having a ton of alerts generated from our exchange server. They are all "AlienVault HIDS: Logon Failure - Unknown user or bad password." alerts.
The alerts seem to indicate the server is failing a password attempt as the local system account against w3wp.exe which relates to IIS. Switching IIS off on this server stops the alerts so there's definitely something trying to authenticate there. The server uses OWA so leaving IIS off permanently isn't an option. I've been through all the windows logs and IIS logs and cannot find the authentication failure AV is detecting.
We have a second exchange server for load balancing which is identical to this one and isn't generating any alerts. Has anyone seen this before or have any ideas what's going on here?
We're updated AV to the latest version.
AV - Alert - "1530624734" --> RID: "18130"; RL: "5"; RG: "windows,win_authentication_failed,"; RC: "Logon Failure - Unknown user or bad
password."; USER: "(no user)"; SRCIP: "-"; HOSTNAME: "(exc-02) 10.32.2.22->WinEvtLog"; LOCATION: "(exc-02) 10.32.2.22->WinEvtLog";
EVENT: "[INIT]2018 Jul 03 14:31:56 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain:
EXC-02.domain.co.uk: An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: EXC-02$ Account Domain: domain Logon ID:
0x3e7 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Account Domain: Failure Information:
Failure Reason: %%2305 Status: 0xc0000193 Sub Status: 0xc0000193 Process Information: Caller Process ID: 0x3228 Caller Process Name:
C:\Windows\System32\inetsrv\w3wp.exe Network Information: Workstation Name: EXC-02 Source Network Address: - Source Port: - Detailed
Authentication Information: Logon Process: Authz Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key
Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. [END]";