question

YaKs77-8183 avatar image
0 Votes"
YaKs77-8183 asked KaelYao-MSFT edited

How to find the real source IP of a Event 4776 generated from a public Exchange Mapi URL https://mail.xxxx.yy/mapi/

Hi,
I am struggling trying to find the real source of a bunch of authentication attempts (brute force) that I just discovered in our environment.

I did my own test connecting to our public URL https://mail.xxxxxx.yyy/mapi/ using my 4G phone , using wrong credentials.
the event 4776 logged in our DC server is the following


LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=Dc.xxxx.yyy
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=1450342160
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: test4g
Source Workstation: localhost
Error Code: 0xC0000064

I tried to find traces in our Exchange IIS logs and I dont find any entry, I checked and the logging is enabled, format W3C. we have onprem exchange 2016.

maybe I need to enable some settings for deeper logging?

Thanks a lot.






office-exchange-server-administrationwindows-active-directorywindows-server-iis
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @YaKs77-8183

Did you check the IIS log under this path C:\inetpub\logs\LogFiles\W3SVC1 on Exchange server?
If you search for the timestamp of event 4776 in IIS log (by default IIS log would use UTC time), would you see requests sent to /mapi and a return code 401?

0 Votes 0 ·

Hi @kaelyao,
you were absolutely right, I didnt realize about the UTC time so I could not correlate by time.

In any case, I dont see the user account name in the log which I think it is very needed in case we have several 401 on the same second. I would like to correlate both event logs based on the account name and the timestamp.

Is there any way to force the logging of the user account used? for some reason the account name does not appear in the 99.99% of log lines with 401 code, is this normal?
Over almost 30K events with 401 code, only 4 contained the user account :O

Many thanks once again.

0 Votes 0 ·

Hi,
In my lab the user account is also not logged in IIS logs.

While I suppose you may see it in the event 4776 Logon Account field.
In this case, is the account which you are using for test test4g?

0 Votes 0 ·
Show more comments

0 Answers