if it is a network logon its probably not from the same user but from different accounts. Pls double check Account Name, and Initiator Username which maybe a system user ending on $. In your search add alle the custom properties you need to see differences in your events. The standard grouping may lead you in the wrong direction for those events that look the same but are not. If stille in doubt send a full export to my personal mailbox and I may have a look. BTW 100s of events are quite normal. 100s of events in the same second maybe something to think about, e.g. runaway process or application.
Original Message:
Sent: Fri September 15, 2023 03:08 AM
From: Sai Kiran
Subject: Source and Destination port Zero and User=ANONYMOUS LOGON
We often see the 2nd case but around 100's of events is populating on Qradar. The source IP and Destination IP Involved are same but Multiple events with different IP's are generated under one username within 30 sec Network logon type is 3 and Event name is User/admin login successful. What kind of activity done by the user in this case kindly explain thanks in advance waiting for your reply
------------------------------
Sai Kiran
Original Message:
Sent: Thu March 16, 2023 10:33 AM
From: Karl Jaeger
Subject: Source and Destination port Zero and User=ANONYMOUS LOGON
Paul, its quite simple. If source and dest port are the same the message is comminf from the server itself (cae 2) rather than hitting the server over the network (case 1).
In your sample case 1 is a network logon (type 3). In your case 2 the ananymous logon is being executed on the AD server itself. Pls also notify the hint at the end of log record 2:
The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections.
NTLM authentication should be minimized for security reasons and whenever possible replaced by LDAP.
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Wed March 08, 2023 11:55 AM
From: Paul Jeyasingh
Subject: Source and Destination port Zero and User=ANONYMOUS LOGON
Often times I see that the Destination Port value is 0 what does this signify? Sometimes Source Port and Destination Port both have 0 as a value. What does this mean?
Below is the Payload Information from both:
Source Port: 59157 and Destination Port: 0 - Src and Dst are different.
xxxx6.15 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.1.22 Source=Microsoft-Windows-Security-Auditing Computer=xxxx.xxxx OriginatingComputer=xxxx6.15 User= Domain= EventID=4624 EventIDCode=4624 EventType=8 EventCategory=12544 RecordNumber=1217234333 TimeGenerated=1678292511 TimeWritten=1678292511 Level=Log Always Keywords=Audit Success Task=SE_ADT_LOGON_LOGON Opcode=Info Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: XXXXXXX Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: XXXXX-XXX Source Network Address: xxxx58.89 Source Port: 59157 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Source Port: 0 and Destination Port: 0 - Src and Dst IP are same.
xxxx6.15 AgentDevice=WindowsLog AgentLogFile=Directory Service PluginVersion=7.3.1.22 Source=Microsoft-Windows-ActiveDirectory_DomainService Computer=xxxx.xxxx OriginatingComputer=xxxx6.15 User=ANONYMOUS LOGON Domain=NT AUTHORITY EventID=2147486688 EventIDCode=3040 EventType=2 EventCategory=16 RecordNumber=21110 TimeGenerated=1677788421 TimeWritten=1677788421 Level=Warning Keywords=Classic Task=LDAP_INTERFACE_CATEGORY Opcode=Info Message=During the previous 24 hours period, 2 unprotected LDAPS binds were performed. This directory server is not currently configured to enforce validation of Channel Binding Tokens. The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.
------------------------------
Paul Jeyasingh
------------------------------