Hi there, I am currently analyzing a Windows Server 2008, and am digging in the EVTX files. I see numeros entries of EventID 1149 ("User authentication succeeded") done by foreign IP addresses, with user names which clearly are unknown to the system. (looks
like brute-force with a dictionary file to me...) My question is simple : why do I see successful authentication on users who do not exist ? (example : john, test1, user1, and many others) I see absolutely no fail in any of those authentication, is there something
I don't get ? Thank you for your time and help, Best regards.
↧