Access to Administrator account from unknown computer names
For a few weeks all our DCs has received thousands of failed logins for "Administrator". Event viewer logs below messages, NOTE we have no computers or servers on the network with the names, they seem very generic. We have tried to trace the connections but ProcessMonitor, Antimalware, internal ports etc shows nothing. Anyone with ideas how to trace this further?
EventID: 4776 Type: NETWORK
Logon Account: Administrator
Source Workstation: Windows2016
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: FreeRDP
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: Windows2012
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: Windows10
Error Code: 0xc000006a
The computer attempted to validate the credentials for an account.```
You can run Wireshark on the server, and then look for Kerberos traffic. This will be a time consuming approach if you have lots of servers in the Domain.