Successful login from anonymous account

%3CLINGO-SUB%20id%3D%22lingo-sub-1609575%22%20slang%3D%22en-US%22%3ESuccessful%20login%20from%20anonymous%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1609575%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20small%20honeypot%20environment%20and%20been%20working%20on%20making%20new%20queries%20for%20threat%20hunting.%20During%20this%20process%20I%20came%20across%20a%20login%20successful%20for%20the%20anonymous%20account.%20What%20has%20baffled%20me%20a%20bit%20is%20that%20it%20came%20from%20a%20remote%20address%2C%20but%20wasn't%20an%20elevated%20entry.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20some%20tips%20and%20tricks%20to%20deep%20dive%20into%20this%20a%20little%20better%20or%20is%20this%20something%20you%20would%20typically%20ignore%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20width%3D%22273%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETimeGenerated%20%5BUTC%5D%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E2020-08-24T05%3A22%3A23.433Z%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ESourceSystem%3C%2FTD%3E%3CTD%20width%3D%22136%22%3EOpsManager%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EAccount%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ENT%20AUTHORITY%5CANONYMOUS%20LOGON%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EAccountType%3C%2FTD%3E%3CTD%20width%3D%22136%22%3EUser%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EComputer%3C%2FTD%3E%3CTD%20width%3D%22136%22%3EServer%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EEventSourceName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3EMicrosoft-Windows-Security-Auditing%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EChannel%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ESecurity%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETask%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E12544%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ELevel%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E8%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EEventID%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E4624%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EActivity%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E4624%20-%20An%20account%20was%20successfully%20logged%20on.%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EAuthenticationPackageName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ENTLM%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EElevatedToken%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E%25%251843%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EImpersonationLevel%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E%25%251833%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EIpAddress%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E223.31.97.130%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EIpPort%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E43515%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EKeyLength%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ELmPackageName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ENTLM%20V1%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ELogonGuid%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E00000000-0000-0000-0000-000000000000%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ELogonProcessName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ENtLmSsp%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ELogonType%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E3%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ELogonTypeName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E3%20-%20Network%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EProcess%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EProcessId%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E0x0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3EProcessName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ERestrictedAdminMode%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ESubjectAccount%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%5C-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ESubjectDomainName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ESubjectLogonId%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E0x0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ESubjectUserName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ESubjectUserSid%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ES-1-0-0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETargetAccount%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ENT%20AUTHORITY%5CANONYMOUS%20LOGON%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETargetDomainName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3ENT%20AUTHORITY%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETargetLinkedLogonId%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E0x0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETargetLogonId%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E0x1130dcf%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETargetOutboundDomainName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETargetOutboundUserName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3E-%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22137%22%3ETargetUserName%3C%2FTD%3E%3CTD%20width%3D%22136%22%3EANONYMOUS%20LOGON%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1609575%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

I have a small honeypot environment and been working on making new queries for threat hunting. During this process I came across a login successful for the anonymous account. What has baffled me a bit is that it came from a remote address, but wasn't an elevated entry. 

 

Does anyone have some tips and tricks to deep dive into this a little better or is this something you would typically ignore? 

 

TimeGenerated [UTC]2020-08-24T05:22:23.433Z
SourceSystemOpsManager
AccountNT AUTHORITY\ANONYMOUS LOGON
AccountTypeUser
ComputerServer
EventSourceNameMicrosoft-Windows-Security-Auditing
ChannelSecurity
Task12544
Level8
EventID4624
Activity4624 - An account was successfully logged on.
AuthenticationPackageNameNTLM
ElevatedToken%%1843
ImpersonationLevel%%1833
IpAddress223.31.97.130
IpPort43515
KeyLength0
LmPackageNameNTLM V1
LogonGuid00000000-0000-0000-0000-000000000000
LogonProcessNameNtLmSsp
LogonType3
LogonTypeName3 - Network
Process-
ProcessId0x0
ProcessName-
RestrictedAdminMode-
SubjectAccount-\-
SubjectDomainName-
SubjectLogonId0x0
SubjectUserName-
SubjectUserSidS-1-0-0
TargetAccountNT AUTHORITY\ANONYMOUS LOGON
TargetDomainNameNT AUTHORITY
TargetLinkedLogonId0x0
TargetLogonId0x1130dcf
TargetOutboundDomainName-
TargetOutboundUserName-
TargetUserNameANONYMOUS LOGON
0 Replies