Accounts getting disbled in active directory.
Posted on 2009-07-13
Here is my situation. Today dozens of accounts were locked by Active Directory disabling all the users PKI common access cards as a by product.
Here what I know:
Dozens of user accounts are listed as logging on to Retina Scanner appliance (a vulnerability scanner). The loggins are passed on to the server, verifed and disabled via the same local DC. This occurred over a period of four hours or so. We checked the logs for jobs on the Retina server and so far can't find anything wonky in the event logs figuring the local security logs would not be useful since they are AD logons and will be on the DC.
Being that all of these accounts attempted logons to a particular subnet which is not it's normal AOR (Area of Responsibility) is strange.
WE do have logs from DC showing the attempts and subsequent locking of the accounts that targeted the particular serve but no idea why they would all to do in hat looks to be an automated fashion
Again, but any help would be appreciated.
We cannot match up any running scan jobs at the time of login attempts.
Besides why would a vulnerability scanner be the target (not the initiator) of dozens of unsuccessful logons from the same subnet?
Finally the logon attempts causng the lock outs where definitely automated as they where hapening less that a second appart.
I have no idea so far where else to look and I'm supposed to tell the boss what going on by the end of tommorow. I'm not asking someone to do my work for me but maybe suggest other things to consider.
The more paranoid of us immediately suggested some grand AD aware piece of malware but I would rather start at something more mundane.
My only hunch is that somehow the Retina server will be culprit,not the target as the logs show because it's job is to rapidly scan swath of IP's, but again no apparent jobs where running at the time....
Sorry fore the long description but wanted you to know I'm not looking for free hand outs :-)