I have a small honeypot environment and been working on making new queries for threat hunting. During this process I came across a login successful for the anonymous account. What has baffled me a bit is that it came from a remote address, but wasn't an elevated entry.
Does anyone have some tips and tricks to deep dive into this a little better or is this something you would typically ignore?
| TimeGenerated [UTC] | 2020-08-24T05:22:23.433Z |
| SourceSystem | OpsManager |
| Account | NT AUTHORITY\ANONYMOUS LOGON |
| AccountType | User |
| Computer | Server |
| EventSourceName | Microsoft-Windows-Security-Auditing |
| Channel | Security |
| Task | 12544 |
| Level | 8 |
| EventID | 4624 |
| Activity | 4624 - An account was successfully logged on. |
| AuthenticationPackageName | NTLM |
| ElevatedToken | %%1843 |
| ImpersonationLevel | %%1833 |
| IpAddress | 223.31.97.130 |
| IpPort | 43515 |
| KeyLength | 0 |
| LmPackageName | NTLM V1 |
| LogonGuid | 00000000-0000-0000-0000-000000000000 |
| LogonProcessName | NtLmSsp |
| LogonType | 3 |
| LogonTypeName | 3 - Network |
| Process | - |
| ProcessId | 0x0 |
| ProcessName | - |
| RestrictedAdminMode | - |
| SubjectAccount | -\- |
| SubjectDomainName | - |
| SubjectLogonId | 0x0 |
| SubjectUserName | - |
| SubjectUserSid | S-1-0-0 |
| TargetAccount | NT AUTHORITY\ANONYMOUS LOGON |
| TargetDomainName | NT AUTHORITY |
| TargetLinkedLogonId | 0x0 |
| TargetLogonId | 0x1130dcf |
| TargetOutboundDomainName | - |
| TargetOutboundUserName | - |
| TargetUserName | ANONYMOUS LOGON |
