![]() ![]() Open the Windows Task Manager with Ctrl-Shift-Esc. On previous versions of Windows, select Start > All Programs > Accessories > System Tools > Resource Monitor. On Windows 10, select Start > All Apps > Windows Administrative Tools > Resource Monitor. I have also removed the VPN users from the domain and they now access internal files using 2xRDP. Type perfmon.exe /res, and hit the Enter-key. I have left it on the users machines at remote sites as there are no attempts coming from them (due to them being in a different subnet I believe). I have went ahead and uninstalled it from all the local users machines and servers. So for some reason the MSP agent was trying to RDP using the guest account. That gave me the process/PID of the culprit which was a network management service used by "Advanced Monitoring Agent"/RMM which is an MSP software by solarwinds (I looked up the PID in Task Manager). I took the source port used which was logged in the event viewer (security) on the destination machine and matched filtered procmon using that port num. I ran procmon on the origin machine and matched the event from the netlogon file (on the PDC) to the correlating event on the destination machine. From there I was able to determine the origin and destination of the attempts of all these RDP attempts. ![]() So after a bit more reading I was able to find out about the netlogon.txt file (on the primary DC). The RDP attempts are now coming from random machines inside the local LAN. I've run multiple malware/rootkit/virus scans which returned no results. These attempts happen every ~4-5 minutes in that specific order today. One user is local and two are remote using VPNs. One of our servers (running RdpGuard) shows multiple failed attempts from specific users' machines (3 to be exact) and I can't figure out what is causing them.
0 Comments
Leave a Reply. |