Forum Discussion

cschelin's avatar
cschelin
Copper Contributor
Feb 06, 2019

What is this account "1B9E3760"?

I keep seeing the account name 1B9E3760 in our Windows security logs, only when an account has failed to log in. (But not every time an account has failed to log in.) The only thing that we've found is that this may be related to "logon as a service".

 

Where would I even begin to look for more info on what this is?

  • alexw1820's avatar
    alexw1820
    Copper Contributor

    cschelin this is a rapid7 insightvm vulnerability related credential. It is found under the scanning templates when scanning and looking for  "default account" vulnerabilities. You cannot exclude the specific username but you can disable "default account" scanning which should stop using that account . It is associated for certain vulnerabilities that was identified using that account . I would advise not disabling the default account scanning but just be aware this is part of the scanning and failure events are expected. 

    • Younoobtoo's avatar
      Younoobtoo
      Copper Contributor
      vvatta:
      I found this username in my logs as well, how and where did you find the connection between the name and nexpose?

      I'm pretty sure that this is a nexose user but I would like to understand where this is configured

      Thanks for the feedback and greets, younoobtoo

Resources