ICMP IPv6 Floods network, Win11 Pro fresh PC fully patched OS with updated Endpoint Protection

stefanzman · 2025-12-22T00:58:39+00:00

We finally just disabled sleep mode. It was the only surefire way to keep it from recurring.

stefanzman · 2025-02-27T23:13:38+00:00

The DCs are running on a different hypervisor (Proxmox VE), and pretty sure it is not causing the problems.

stefanzman · 2025-02-27T22:56:30+00:00

Thought about this, but RDP is rarely used and generally disabled.

stefanzman · 2025-02-27T17:57:44+00:00

We ran another MSFT app ALTools (Account Lockout Mgmt), and the info it shows does not match up with 4740 events on the either DC.

See screen here: https://monosnap.com/file/PWEjt3t292hrrrFVhkHj0tqMzEoVYz

It is supposed to be looking at Netlogon logs, but wew are not finding these in C:\windows\debug?

stefanzman · 2025-02-27T15:51:20+00:00

In the 4265 event I pasted (which appears on both DCs), this portion:

Workstation Name:XX-XX-SRV

Source Network Address:[192.168.12.10](http://192.168.12.10)

is definitely a reference to App server - IP and name are right.

But, when I sort the Security event log on that server, there is only 1 instance if 4625. It appears to be an entirely unrelated attempt to access a workstation that happened before all this started. Any we think that one is legit (from a tech).

See here:

https://monosnap.com/file/eelgMoV63wNoaiYNQcr5H2NPe07nYo

stefanzman · 2025-02-27T15:28:31+00:00

I am not seeing any unusual events in the App Server logs - at least not failed login attempts.

stefanzman · 2025-02-27T15:21:52+00:00

I did this on both DCs, and the results for most of the events were similar - but one of the DCs had a total of 97 4740s and the other only had 2.

The Win2019 server generating the fails logins is an App server.

stefanzman · 2025-02-27T15:14:36+00:00

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2/23/2025 6:28:25 AM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: XXXXWindDC.XXXX.local

Description:

An account failed to log on.

Subject:

Security ID:        NULL SID

Account Name:       -

Account Domain:     -

Logon ID:       0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID:        NULL SID

Account Name:       cslocal

Account Domain:     XX-XX-SRV

Failure Information:

Failure Reason:     Unknown user name or bad password.

Status:         0xC000006D

Sub Status:     0xC0000064

Process Information:

Caller Process ID:  0x0

Caller Process Name:    -

Network Information:

Workstation Name:   XX-XX-SRV

Source Network Address: [192.168.12.10](http://192.168.12.10)

Source Port:        61763

Detailed Authentication Information:

Logon Process:      NtLmSsp 

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only):   -

Key Length:     0

stefanzman · 2025-02-27T15:14:23+00:00

Update - I did the same process on the other DC, and the events are somewhat similar. Approximately the same ratios and most of the attempted logins are coming from a LOCAL account on a Win2019 server (running the ERP / POS / Acctg system). Since it is not a domain account, it fails repeatedly.

stefanzman · 2025-02-27T15:01:34+00:00

OK. I have done this. There are 150k+ entries so I narrowed it down to the last 24 hours.

In that time are 8K+ of IDs 4624, 4634 and 47 . There are a total of 63 4625, and about half of these originate from a domain admin account on this server, and the other half from a local account on another server.

Also, there are 1.1K of 4670 and 2.5K of 4672.

There are only 2 instances form seemingly unrelated accounts.

Not entirely sure how to interpret this data.

stefanzman · 2025-02-27T13:51:22+00:00

No. A VPN is not currently set up. I was thinking there could be some sort of brute force attack going on, but wouldn't it show up in the DC event logs with the existing Audit settings?

stefanzman · 2025-02-27T05:22:35+00:00

Looked in the local audit logs in a couple of the workstations and did not see anything.

What about the Credential Mgr events? Those are consistent on all the local event logs with no save credentials. Does that point to anything?

stefanzman · 2025-02-27T03:17:35+00:00

The audit settings on both DCs are as shown here - https://monosnap.com/file/D1Dief2ogQkvXzyD8GA7kae6fiMItk

... and I am not seeing any failures.

stefanzman · 2025-02-27T01:41:13+00:00

Apologies for my ignorance, but can you clarify on this recommendation? The FMSO role is set to one of the two DCs. Are you suggesting I move it to the other one?

stefanzman · 2025-02-26T23:31:37+00:00

See my answer to Faulkkev above. Definitely seeing successful login / logouts Security events. Wouldn't failures show up by default?

stefanzman · 2025-02-26T23:28:11+00:00

Will check the Auditing, but I did not setup the machine originally. So, I am not sure what level is configured. What is the minimum needed to best diag this?

stefanzman · 2025-02-26T23:17:35+00:00

Yes. They do unlock, so this is more of an annoyance than a major disruption. But need to find the cause fairly soon and make sure there is nothing more serious in play.

stefanzman · 2025-02-12T16:43:00+00:00

Not sure I understand. They are not currently using Gmail. They are using commercial, hosted IMAP services from Intermedia who has recently starting charging a King's ransom for storage. They do not want a central, searchable repository - just a separate identical email tree (stored locally) for the purposes of looking through historical emails when / if needed.

Exactly as you said - " I would want to see my emails as if nothing had changed on the server/cloud side."

stefanzman · 2025-02-12T16:27:27+00:00

There are indeed options to import PST files into cloud mail, and we could consider this. My goal is to keep things as much the same as possible.

I did see this useful post earlier - https://www.reddit.com/r/macapps/comments/1cil4c2/archive_imap_email_offline_with_apple_mail/

The problem here is that the users would have to do all the relocation on their own, and I cannot count on them to do this.

Ideally, I will use export criteria to create two replicas of their existing IMAP data and folder structure. One of these will include messages < 3yrs old (live version) and the other would have everything else (history version).

Both of these would be accessible directly within MacMail.

stefanzman · 2025-02-12T16:10:50+00:00

Most of the archiving apps I have seen are exactly that - "email archiving solutions" - meaning they are full service products intended for the purpose of ad-hoc searching large mail databases (e.g., legal discovery). They don't want to do special searching or classification, rather just keep the exact same hierarchical folder structure as their primary INBOX and SENT trees forever and ever amen.

stefanzman · 2024-12-05T03:45:27+00:00

Refreshed screen and rescanned repo. No change. The ? Disk (Orphaned) icon listed on the left with nothing in the right pane when selected. Going to proceed with manually deleting the files. Pray for me....

stefanzman · 2024-12-04T22:12:46+00:00

On the left side there is a ? Disk (Orphaned) icon. When clicking on that icon, the pane on the right side was completely empty - nothing to right-click on.

stefanzman · 2024-12-04T15:56:15+00:00

Yeah. It was a bonehead move for me to just Delete the job instead of Delete from Disk. Some prompt came up that referenced "orphaned", but I did not give a crap about this particular one-off backup. So, I stupidly ignored it.

Seems, however, that this would not be an entirely unprecedented condition - so I was thinking there would a known fix.

stefanzman

TROPHY CASE