question

FafaOSY-9738 avatar image
0 Votes"
FafaOSY-9738 asked GraceHE-MSFT commented

EventID 1149 : inconsistent Source Network Adress

Hi,

We have suffered a RYUK ransomware attack, and we are in the analysis of events. On a server, in the time slot of the attack, I see in the event of RDP connections, in event ID 1149, connections with the Source Network Adress corresponding to that of the server ?! How is it possible ? there should be the ip of the client that connects to the server ... right?
thanks a lot for your help
Steph.

remote-desktop-services
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GraceHE-MSFT avatar image GraceHE-MSFT ·

Hi Steph.,
Thank you for posting your query. According to your description, are you doubting why the event ID 1149 happened or why you sufferred the attack when doing the analysis?

0 Votes 0 ·
GraceHE-MSFT avatar image GraceHE-MSFT ·

Hi,
We are looking forward to your reply and ready for help.

0 Votes 0 ·

0 Answers