I have a very awkward situation. I want to find the application and/or IP address attempting to break in.
We have a WEB server, running IIS 7 on a 2008R2 domain. We are (still) using NTLM.
Analyzing the WEB event log, we have multiple and systematic failed login attempts, using dictionaries and the NTLM protocol, trying to get server access and consequently, the Domain Controller also receiving and recording the attempt.
I have every (known to me) logging active however, there is no record of any application recording the failure: Checking a random event id 4625, I found a unique username: 'GOLF3723' and performed a text search for that word on every log file on my system with no luck.
This are the locations being searched:
"\\server\admin$\Logs"
"\\server\admin$\Tracing"
"\\server\admin$\System32\LogFiles"
"\\server\c$\inetpub\logs\LogFiles"
I also activated NTLM Audit but there is nothing on the event log that will allow us identify the failed login attempts.
Any method to force the NTLM protocol to be more verbose? Any other method to find the culprit(s)?
Netlogon debug should have ip addresses. https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service