| Author | Messages | |
rezuma
Posts:136
 | | 07/28/2010 3:01 PM |
| Hi all,
I recently started using Splunk.
I create an alert that tells me whenever the enterprise
administrator account is being use or lockout.
I am seeing that our administrator account is been locked every
few random days (event 644) always with the same data , the
caller_machine_ Name is always \\NTscan <file:///\\NTscan> which is not
a computer in my network.
I did another search to see where else was \\NTscan
<file:///\\NTscan> showing up and saw that one other regular user is
also being locked by this machine.
I am not sure how to troubleshoot this, any tips will be greatly
appreciate.
PS: Non of the records is showing any IP for the source of that
machine.
Ramon
| | | |
| kennedyjim
Posts:89
| | 07/28/2010 5:13 PM |
| It is the name of a virus/malware. Bet you have a machine with it and it is spoofing that machine name.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Wednesday, July 28, 2010 10:02 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Account lockouts. NTscan
Sensitivity: Confidential
Hi all,
I recently started using Splunk.
I create an alert that tells me whenever the enterprise administrator account is being use or lockout.
I am seeing that our administrator account is been locked every few random days (event 644) always with the same data , the caller_machine_ Name is always \\NTscan<file:///\\NTscan> which is not a computer in my network.
I did another search to see where else was \\NTscan<file:///\\NTscan> showing up and saw that one other regular user is also being locked by this machine.
I am not sure how to troubleshoot this, any tips will be greatly appreciate.
PS: Non of the records is showing any IP for the source of that machine.
Ramon
| | | |
| DaemonRoot
Posts:122
| | 07/29/2010 12:05 PM |
| Hi,
You say you're not getting much info on your logs but I still have to ask
you if Netlogon Login is enabled on your DCs?
http://support.microsoft.com/kb/109626
Regards,
~D
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Kennedy, Jim
Sent: Wednesday, July 28, 2010 10:12 AM
To: 'activedir@mail.activedir.org'
Subject: RE: [ActiveDir] Account lockouts. NTscan
Sensitivity: Confidential
It is the name of a virus/malware. Bet you have a machine with it and it is
spoofing that machine name.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Wednesday, July 28, 2010 10:02 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Account lockouts. NTscan
Sensitivity: Confidential
Hi all,
I recently started using Splunk.
I create an alert that tells me whenever the enterprise administrator
account is being use or lockout.
I am seeing that our administrator account is been locked every few random
days (event 644) always with the same data , the caller_machine_ Name is
always \\NTscan <file:///\\NTscan> which is not a computer in my network.
I did another search to see where else was \\NTscan <file:///\\NTscan>
showing up and saw that one other regular user is also being locked by this
machine.
I am not sure how to troubleshoot this, any tips will be greatly appreciate.
PS: Non of the records is showing any IP for the source of that machine.
Ramon
| | | |
| sdelrio
Posts:14
| | 08/01/2010 4:44 PM |
| As Daniel is telling the netlogon logging should give u some clue, in that
case you should enable netlogon at least on the PDC emulator. are u
monitoring the AD replication ?
Another thing, are yo
On Thu, Jul 29, 2010 at 8:02 AM, Castillo, Daniel (Directory Services) <
daniel.castillo@hp.com> wrote:
> Hi,
>
>
>
> You say you’re not getting much info on your logs but I still have to ask
> you if Netlogon Login is enabled on your DCs?
>
> http://support.microsoft.com/kb/109626
>
> Regards,
>
>
>
> ~
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Kennedy, Jim
> *Sent:* Wednesday, July 28, 2010 10:12 AM
>
> *To:* 'activedir@mail.activedir.org'
> *Subject:* RE: [ActiveDir] Account lockouts. NTscan
> *Sensitivity:* Confidential
>
>
>
> It is the name of a virus/malware. Bet you have a machine with it and it is
> spoofing that machine name.
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Ramon Linan
> *Sent:* Wednesday, July 28, 2010 10:02 AM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] Account lockouts. NTscan
> *Sensitivity:* Confidential
>
>
>
> Hi all,
>
>
>
> I recently started using Splunk.
>
>
>
> I create an alert that tells me whenever the enterprise administrator
> account is being use or lockout.
>
>
>
> I am seeing that our administrator account is been locked every few random
> days (event 644) always with the same data , the caller_machine_ Name is
> always \\NTscan which is not a computer in my network.
>
>
>
> I did another search to see where else was \\NTscan showing up and saw
> that one other regular user is also being locked by this machine.
>
>
>
> I am not sure how to troubleshoot this, any tips will be greatly
> appreciate.
>
>
>
> PS: Non of the records is showing any IP for the source of that machine.
>
>
>
> Ramon
>
>
>
>
>
>
| | | |
| sdelrio
Posts:14
| | 08/01/2010 5:04 PM |
| Can you check in the Wrong Password Events ? For example on this one we have
the Source IP address. I saw many cases where the attempt were coming from
internet, like this one.
I dont know if the account lockouts are frecuent , but if they are , maybe
you can use a NETMON trace , and look for the user attempts , so you can
identify the source IP address.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/07/2008
Time: 10:27:13
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: SBS Mail Operators
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: \\NTscan
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 81.242.5.43
Source Port: 0
On Sun, Aug 1, 2010 at 12:44 PM, Sebastian del Rio <
sebastiandelrio@gmail.com> wrote:
> As Daniel is telling the netlogon logging should give u some clue, in that
> case you should enable netlogon at least on the PDC emulator. are u
> monitoring the AD replication ?
>
> Another thing, are yo
>
> On Thu, Jul 29, 2010 at 8:02 AM, Castillo, Daniel (Directory Services) <
> daniel.castillo@hp.com> wrote:
>
>> Hi,
>>
>>
>>
>> You say you’re not getting much info on your logs but I still have to ask
>> you if Netlogon Login is enabled on your DCs?
>>
>> http://support.microsoft.com/kb/109626
>>
>> Regards,
>>
>>
>>
>> ~
>>
>>
>>
>> *From:* activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] *On Behalf Of *Kennedy, Jim
>>
>> *Sent:* Wednesday, July 28, 2010 10:12 AM
>>
>>
>> *To:* 'activedir@mail.activedir.org'
>> *Subject:* RE: [ActiveDir] Account lockouts. NTscan
>> *Sensitivity:* Confidential
>>
>>
>>
>> It is the name of a virus/malware. Bet you have a machine with it and it
>> is spoofing that machine name.
>>
>>
>>
>> *From:* activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] *On Behalf Of *Ramon Linan
>> *Sent:* Wednesday, July 28, 2010 10:02 AM
>> *To:* activedir@mail.activedir.org
>> *Subject:* [ActiveDir] Account lockouts. NTscan
>> *Sensitivity:* Confidential
>>
>>
>>
>> Hi all,
>>
>>
>>
>> I recently started using Splunk.
>>
>>
>>
>> I create an alert that tells me whenever the enterprise administrator
>> account is being use or lockout.
>>
>>
>>
>> I am seeing that our administrator account is been locked every few random
>> days (event 644) always with the same data , the caller_machine_ Name is
>> always \\NTscan which is not a computer in my network.
>>
>>
>>
>> I did another search to see where else was \\NTscan showing up and saw
>> that one other regular user is also being locked by this machine.
>>
>>
>>
>> I am not sure how to troubleshoot this, any tips will be greatly
>> appreciate.
>>
>>
>>
>> PS: Non of the records is showing any IP for the source of that machine.
>>
>>
>>
>> Ramon
>>
>>
>>
>>
>>
>>
>
| | | |
|
|