[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Netlogon help - user account locking out - random user names in our netlogon

Posted on 2016-10-19
9
Medium Priority
?
1,363 Views
Last Modified: 2016-10-22
Aloha, we have a user account that is getting locked out of AD constantly (every 5-10 minutes after 5 bad attempts). After tracing the issue from the DC back to their workstation, I've been unable to pinpoint what is causing the bad password attempts and inevitable lockout. Here is the part that is scaring the crap out of me: On their workstation, I ran netlogon and found that there are constant account logon tries with totally random usernames that have never been part of our domain. I've pasted a section of the log below, but you can see ADMINISTRATOR is a popular one, along with random first names (LAUREN, JAMES, TECH) as well as random first initial last name combinations (JQUACH, CALEXANDER). These are not users that have ever or currently exist in our domain. The domain field before the \ shows as (null) so I'm guessing it's not actually trying to login to network locations, and just trying for local accounts, but either way... what and why?

I've disconnected this machine and ran several virus detections to no avail. Does anyone have any idea what is going on here?

Mahalo nui loa for any insight.



10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Entered
10/19 15:55:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Returns 0xC0000064
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:17 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:50 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Entered
10/19 15:55:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Returns 0xC0000064
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Entered
10/19 15:56:06 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Returns 0xC0000064
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:10 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:26 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:43 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:18 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Entered
10/19 15:57:20 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Returns 0xC0000234
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:33 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Entered
10/19 15:57:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Returns 0xC0000234
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:48 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Entered
10/19 15:58:21 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Returns 0xC0000064
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:23 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Entered
10/19 15:58:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Returns 0xC0000064
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:37 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Entered
10/19 15:59:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Returns 0xC0000064
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:11 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Entered
10/19 15:59:32 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Returns 0xC0000064
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:42 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Entered
10/19 15:59:51 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Returns 0xC0000064
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Entered
10/19 16:00:15 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Returns 0xC0000064
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:16 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Entered
10/19 16:00:29 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Returns 0xC0000064
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:31 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:47 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
0
Comment
Question by:Steph Dames
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 41851374
My first guys, I have seen similar before, ids that someone out something is trying to use that Austen to crack local admin account to install something more maliciousabd possibly try to get network access. vlan that system off so it does not touch your network and run wireshark to see what network communication it is doing.
0
 
LVL 29

Accepted Solution

by:
Dr. Klahn earned 2000 total points
ID: 41851389
Download a copy of Microsoft TCP View and install it on the afflicted machine.  Reboot so that the system is supposedly idle.  Run TCP View, watch it, and see what opens connections open to the DC.  One of those processes should be the culprit.

If TCP View fails to reveal the problem process, then Microsoft Process Monitor will reveal it; but this is a high-overhead proposition, so try the easy one first.

Also download a copy of Malwarebytes (run it in stealth mode), and a copy of Spybot - Search and Destroy.

(It would arguably be less work to reload the system from scratch, but it sounds like you want to repair the issue rather than hammer it.)
0
 

Author Comment

by:Steph Dames
ID: 41851396
Yes, unfortunately the machine is a high priority user and rebuilding it may actually end up being more work for me depending on how far I let myself go down this rabbit hole.

Thanks for the help, Gabriel and Dr. Klahn. I'm going to try TCP view first and see what I can find out. mwb unfortunately didn't grab anything as of yet, but I will try spybot also.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 7

Expert Comment

by:mbkitmgr
ID: 41851481
0
 
LVL 80

Expert Comment

by:arnold
ID: 41851519
Run control keymgr.dll and make sure there are no shared resources there that were saved with a password that the user has recently changed.
Make sure there is no service running with the user's credential.

The event log on the server what type of login is being attempted. The type if network would suggest that this system has a shared resource that is being accessed.
Does your auditing policy include the local workstation/system revord login/logout events in the local security eventlog?

What development is occurring on this system?
Any changes within the week prior to this issue?
0
 

Author Comment

by:Steph Dames
ID: 41852910
So, it ended up being an RDP exploit. After a fresh reboot, I ran TCPView while disconnected from the network. After the full boot process seemed to be complete, I connected to the network and watched for anything to try. Nothing came up after several minutes and the netlogon log stayed clean of those random attempts. I one by one started to open programs that use connection, starting with our company's management software. Still no attempts in the log after several minutes and nothing odd in TCPView. I open Outlook and BAM, TCPView shows protocol ms-wbt-server connecting to some remote address in London. I've attached a screenshot. The netlogon also immediately starts showing the random username attempts at this point. I did some quick research and learned that ms-wbt-server is likely the RDP service, so I closed the connected in TCPView and stopped and disabled the RDP service. Instantly, the netlogon was clean and no further connections showed up in TCPView. Just checked again and the log is still clean.

I've since looked into some articles regarding RDP exploits and am running some more scans, as well as a registry clean.

Crazy! Thanks for all your help!
0
 

Author Closing Comment

by:Steph Dames
ID: 41852914
TCPView to isolate the issue worked perfectly. Mahalo nui loa!
0
 
LVL 29

Expert Comment

by:Dr. Klahn
ID: 41852952
Remote Desktop.  Immensely useful, but something that Microsoft should have made "disabled unless manually enabled for this session only by a local user."  Glad to see you got the issue resolved.
1
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 41852967
Great to see you going again.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question