I have a server that gets keeps getting failed login events (4625). They occur roughly every 20-30 minutes daily. Also appears to be on a schedule.
I've tried deleting stored credentials. Disabling RDS. I've tried locating a pattern with Procmon and Wireshark, and at one point thought it might be the services for Labtech (ConnectWise Automate) but disabling this temporarily didn't make a difference.
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER$
Account Domain: DOMAIN
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x2f4
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: SERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Best Answer
As you mentionned, very fiew useful informations are provided into this event. What we can see is:
Therefore the only "clues" that I can suggest you are: