ASUS RT-AC5300 - Is anyone else logged in or trying to Brute force in?

I don't use RDP. My IT guy connects to my laptop when needed, but it doesn't use windows login. I have to authorize him when it pops up on my screen. I'm the only one using this laptop here.

Do the Event Log entries show the IP address of the client device that tried to logon?

They do not.

We could ask you more questions about your event log entries, but what might be easier would be if you Exported your Security and System logs and uploaded the .evtx files here for us to look at. You could send them privately by IM so no one other than the helpers here could see them.

Sure. I can send them privately. Would I be sending them to you? How would the other helpers see them?

You could start by sending them to me. Remember, I'm not looking for .txt files, but .evtx files. The latter we can open directly in Event Viewer, where we can filter and read them much more easily.

Edited by Shplad, 11 August 2024 - 07:20 PM.

I have already exported them. Waiting to send. Can't add attachments to IM's?

-ignore-

Edited by Shplad, 11 August 2024 - 07:39 PM.

No. Not at all. I didn't touch the user accounts let alone assign privlages

Though today, I'm logged in with my user name (Administrator priviledge) and I tried going into a folder to which it said that I need admin priv to view, would you like to view it? Yes, then it said to click yes to allow me to view it. Was weird.

That is perfectly normal behaviour. It's Windows way of verifying you're not malware trying to make changes. 

Back to the event logs, here's what I got from Perplexity.ai when I asked if it was normal get failed logon attempts via the Guest account:

It is not normal for Windows event logs to consistently show failed logons via the Guest account, especially when the account is disabled. This behavior can indicate various issues:

In summary, while occasional failed logon attempts might happen under specific conditions, a high number of such events, especially when the Guest account is disabled, is not typical and should be investigated to ensure there are no security vulnerabilities or misconfigurations in the network.

1. Network Connections: Failed logon attempts using the Guest account can occur due to network connections, especially if a shared folder includes permissions for "Everyone," which might trigger attempts to access the share using the Guest account.
2. Internal Network Activity: Such logon failures might originate from within the internal network, suggesting that an unknown computer or service is attempting to access resources on the server.
3. External Access Attempts: If the server is exposed to the internet, such as having open ports for Remote Desktop Protocol (RDP), it might be subject to brute force attacks or unauthorized access attempts, resulting in numerous failed logon attempts
4. subject to brute force attacks or unauthorized access attempts, resulting in numerous failed logon attempts.
5. Configuration or Monitoring Tools: Monitoring tools or misconfigured services might inadvertently trigger these logon attempts. For example, certain security tools or scripts might attempt to validate credentials using the Guest account, leading to these logs

 

In summary, while occasional failed logon attempts might happen under specific conditions, a high number of such events, especially when the Guest account is disabled, is not typical and should be investigated to ensure there are no security vulnerabilities or misconfigurations in the network.

 

Edited by Shplad, 11 August 2024 - 07:47 PM.

Well that's not good. Something that I was suspecting. #2. Can be ruled out as there is no internal network here. It's just me.

How do we pinpoint this? Not really feeling comfortable here.

What's this?

What's this?

That post is blank.

I see nothing obvious here yet, though I'm not a security expert. Dan? Are you around? 

I'm still browsing through your event logs.