Solved

Netlogon help - user account locking out - random user names in our netlogon

Posted on 2016-10-19
9
257 Views
Last Modified: 2016-10-22
Aloha, we have a user account that is getting locked out of AD constantly (every 5-10 minutes after 5 bad attempts). After tracing the issue from the DC back to their workstation, I've been unable to pinpoint what is causing the bad password attempts and inevitable lockout. Here is the part that is scaring the crap out of me: On their workstation, I ran netlogon and found that there are constant account logon tries with totally random usernames that have never been part of our domain. I've pasted a section of the log below, but you can see ADMINISTRATOR is a popular one, along with random first names (LAUREN, JAMES, TECH) as well as random first initial last name combinations (JQUACH, CALEXANDER). These are not users that have ever or currently exist in our domain. The domain field before the \ shows as (null) so I'm guessing it's not actually trying to login to network locations, and just trying for local accounts, but either way... what and why?

I've disconnected this machine and ran several virus detections to no avail. Does anyone have any idea what is going on here?

Mahalo nui loa for any insight.



10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Entered
10/19 15:55:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Returns 0xC0000064
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:17 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:50 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Entered
10/19 15:55:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Returns 0xC0000064
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Entered
10/19 15:56:06 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Returns 0xC0000064
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:10 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:26 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:43 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:18 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Entered
10/19 15:57:20 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Returns 0xC0000234
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:33 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Entered
10/19 15:57:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Returns 0xC0000234
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:48 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Entered
10/19 15:58:21 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Returns 0xC0000064
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:23 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Entered
10/19 15:58:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Returns 0xC0000064
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:37 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Entered
10/19 15:59:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Returns 0xC0000064
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:11 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Entered
10/19 15:59:32 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Returns 0xC0000064
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:42 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Entered
10/19 15:59:51 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Returns 0xC0000064
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Entered
10/19 16:00:15 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Returns 0xC0000064
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:16 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Entered
10/19 16:00:29 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Returns 0xC0000064
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:31 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:47 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
0
Comment
Question by:Steph Dames
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 41851374
My first guys, I have seen similar before, ids that someone out something is trying to use that Austen to crack local admin account to install something more maliciousabd possibly try to get network access. vlan that system off so it does not touch your network and run wireshark to see what network communication it is doing.
0
 
LVL 25

Accepted Solution

by:
Dr. Klahn earned 500 total points
ID: 41851389
Download a copy of Microsoft TCP View and install it on the afflicted machine.  Reboot so that the system is supposedly idle.  Run TCP View, watch it, and see what opens connections open to the DC.  One of those processes should be the culprit.

If TCP View fails to reveal the problem process, then Microsoft Process Monitor will reveal it; but this is a high-overhead proposition, so try the easy one first.

Also download a copy of Malwarebytes (run it in stealth mode), and a copy of Spybot - Search and Destroy.

(It would arguably be less work to reload the system from scratch, but it sounds like you want to repair the issue rather than hammer it.)
0
 

Author Comment

by:Steph Dames
ID: 41851396
Yes, unfortunately the machine is a high priority user and rebuilding it may actually end up being more work for me depending on how far I let myself go down this rabbit hole.

Thanks for the help, Gabriel and Dr. Klahn. I'm going to try TCP view first and see what I can find out. mwb unfortunately didn't grab anything as of yet, but I will try spybot also.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 5

Expert Comment

by:mbkitmgr
ID: 41851481
0
 
LVL 77

Expert Comment

by:arnold
ID: 41851519
Run control keymgr.dll and make sure there are no shared resources there that were saved with a password that the user has recently changed.
Make sure there is no service running with the user's credential.

The event log on the server what type of login is being attempted. The type if network would suggest that this system has a shared resource that is being accessed.
Does your auditing policy include the local workstation/system revord login/logout events in the local security eventlog?

What development is occurring on this system?
Any changes within the week prior to this issue?
0
 

Author Comment

by:Steph Dames
ID: 41852910
So, it ended up being an RDP exploit. After a fresh reboot, I ran TCPView while disconnected from the network. After the full boot process seemed to be complete, I connected to the network and watched for anything to try. Nothing came up after several minutes and the netlogon log stayed clean of those random attempts. I one by one started to open programs that use connection, starting with our company's management software. Still no attempts in the log after several minutes and nothing odd in TCPView. I open Outlook and BAM, TCPView shows protocol ms-wbt-server connecting to some remote address in London. I've attached a screenshot. The netlogon also immediately starts showing the random username attempts at this point. I did some quick research and learned that ms-wbt-server is likely the RDP service, so I closed the connected in TCPView and stopped and disabled the RDP service. Instantly, the netlogon was clean and no further connections showed up in TCPView. Just checked again and the log is still clean.

I've since looked into some articles regarding RDP exploits and am running some more scans, as well as a registry clean.

Crazy! Thanks for all your help!
0
 

Author Closing Comment

by:Steph Dames
ID: 41852914
TCPView to isolate the issue worked perfectly. Mahalo nui loa!
0
 
LVL 25

Expert Comment

by:Dr. Klahn
ID: 41852952
Remote Desktop.  Immensely useful, but something that Microsoft should have made "disabled unless manually enabled for this session only by a local user."  Glad to see you got the issue resolved.
1
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 41852967
Great to see you going again.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question