Hello,
Recently, I handled an event involving NTLM authentication failures, primarily identified through Event ID 4625, with some successful authentications logged under Event ID 4624. The investigation was triggered by a User Behavior Analytics (UBA) alert due to a new authentication pattern.
Upon deeper analysis, I discovered that the user account in question was attempting to authenticate across nearly all machines in the environment. After engaging with the user, it was revealed that they were using Advanced IP Scanner, which explained the widespread authentication attempts.
Notably:
- The Process ID in the 4625 events was
0x0, indicating no specific process was logged. - No additional logs were found beyond Event IDs 4624 and 4625.
I then verified the presence of Sysmon, and confirmed that Sysmon64 was running and configured. However, upon querying the logs, I noticed that several critical Event IDs were missing, including:
- 5140 – Network share object accessed
- 5145 – Detailed file share access
- 7045 – New service installation
…and others relevant to lateral movement and persistence detection.
Please suggest