Solved

Netlogon help - user account locking out - random user names in our netlogon

Posted on 2016-10-19
9
77 Views
Last Modified: 2016-10-22
Aloha, we have a user account that is getting locked out of AD constantly (every 5-10 minutes after 5 bad attempts). After tracing the issue from the DC back to their workstation, I've been unable to pinpoint what is causing the bad password attempts and inevitable lockout. Here is the part that is scaring the crap out of me: On their workstation, I ran netlogon and found that there are constant account logon tries with totally random usernames that have never been part of our domain. I've pasted a section of the log below, but you can see ADMINISTRATOR is a popular one, along with random first names (LAUREN, JAMES, TECH) as well as random first initial last name combinations (JQUACH, CALEXANDER). These are not users that have ever or currently exist in our domain. The domain field before the \ shows as (null) so I'm guessing it's not actually trying to login to network locations, and just trying for local accounts, but either way... what and why?

I've disconnected this machine and ran several virus detections to no avail. Does anyone have any idea what is going on here?

Mahalo nui loa for any insight.



10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Entered
10/19 15:55:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Returns 0xC0000064
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:17 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:50 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Entered
10/19 15:55:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Returns 0xC0000064
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Entered
10/19 15:56:06 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Returns 0xC0000064
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:10 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:26 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:43 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:18 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Entered
10/19 15:57:20 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Returns 0xC0000234
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:33 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Entered
10/19 15:57:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Returns 0xC0000234
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:48 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Entered
10/19 15:58:21 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Returns 0xC0000064
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:23 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Entered
10/19 15:58:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Returns 0xC0000064
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:37 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Entered
10/19 15:59:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Returns 0xC0000064
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:11 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Entered
10/19 15:59:32 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Returns 0xC0000064
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:42 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Entered
10/19 15:59:51 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Returns 0xC0000064
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Entered
10/19 16:00:15 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Returns 0xC0000064
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:16 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Entered
10/19 16:00:29 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Returns 0xC0000064
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:31 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:47 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
0
Comment
Question by:Steph Dames
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
Comment Utility
My first guys, I have seen similar before, ids that someone out something is trying to use that Austen to crack local admin account to install something more maliciousabd possibly try to get network access. vlan that system off so it does not touch your network and run wireshark to see what network communication it is doing.
0
 
LVL 23

Accepted Solution

by:
Dr. Klahn earned 500 total points
Comment Utility
Download a copy of Microsoft TCP View and install it on the afflicted machine.  Reboot so that the system is supposedly idle.  Run TCP View, watch it, and see what opens connections open to the DC.  One of those processes should be the culprit.

If TCP View fails to reveal the problem process, then Microsoft Process Monitor will reveal it; but this is a high-overhead proposition, so try the easy one first.

Also download a copy of Malwarebytes (run it in stealth mode), and a copy of Spybot - Search and Destroy.

(It would arguably be less work to reload the system from scratch, but it sounds like you want to repair the issue rather than hammer it.)
0
 

Author Comment

by:Steph Dames
Comment Utility
Yes, unfortunately the machine is a high priority user and rebuilding it may actually end up being more work for me depending on how far I let myself go down this rabbit hole.

Thanks for the help, Gabriel and Dr. Klahn. I'm going to try TCP view first and see what I can find out. mwb unfortunately didn't grab anything as of yet, but I will try spybot also.
0
 
LVL 5

Expert Comment

by:mbkitmgr
Comment Utility
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Expert Comment

by:arnold
Comment Utility
Run control keymgr.dll and make sure there are no shared resources there that were saved with a password that the user has recently changed.
Make sure there is no service running with the user's credential.

The event log on the server what type of login is being attempted. The type if network would suggest that this system has a shared resource that is being accessed.
Does your auditing policy include the local workstation/system revord login/logout events in the local security eventlog?

What development is occurring on this system?
Any changes within the week prior to this issue?
0
 

Author Comment

by:Steph Dames
Comment Utility
So, it ended up being an RDP exploit. After a fresh reboot, I ran TCPView while disconnected from the network. After the full boot process seemed to be complete, I connected to the network and watched for anything to try. Nothing came up after several minutes and the netlogon log stayed clean of those random attempts. I one by one started to open programs that use connection, starting with our company's management software. Still no attempts in the log after several minutes and nothing odd in TCPView. I open Outlook and BAM, TCPView shows protocol ms-wbt-server connecting to some remote address in London. I've attached a screenshot. The netlogon also immediately starts showing the random username attempts at this point. I did some quick research and learned that ms-wbt-server is likely the RDP service, so I closed the connected in TCPView and stopped and disabled the RDP service. Instantly, the netlogon was clean and no further connections showed up in TCPView. Just checked again and the log is still clean.

I've since looked into some articles regarding RDP exploits and am running some more scans, as well as a registry clean.

Crazy! Thanks for all your help!
0
 

Author Closing Comment

by:Steph Dames
Comment Utility
TCPView to isolate the issue worked perfectly. Mahalo nui loa!
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
Remote Desktop.  Immensely useful, but something that Microsoft should have made "disabled unless manually enabled for this session only by a local user."  Glad to see you got the issue resolved.
1
 
LVL 13

Expert Comment

by:Gabriel Clifton
Comment Utility
Great to see you going again.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now