I wanted to ask a question in regards to a strange activity that we are noticing within our Domain Controllers and one of our servers, our SIEM is alerting in regards to an unknown user account with the name 1B9E3760. We have checked all of our servers for any local service accounts or scripts. We haven't found where this activity is coming from, the source IP and Destination IP are the same the port is 0. We decided to look online to see if there was anything out there in regards to this username, we found this user id attached to a Chinese IP address. We found this user id on the following website http://bei.kr/?idx=463353000 This has us scratching our heads since we aren't sure where this is coming from any help would be great.
Did you ever figure out what this was? That chinese site is just mapping a hex number to an IP.
BIGGUNS, is 1B9E3760 a Windows, or an application user ? (which app). If Windows, is it a local, or a domain account. What is your SIEM tool's name, and its message ? Thanks