Solved

Netlogon help - user account locking out - random user names in our netlogon

Posted on 2016-10-19
9
364 Views
Last Modified: 2016-10-22
Aloha, we have a user account that is getting locked out of AD constantly (every 5-10 minutes after 5 bad attempts). After tracing the issue from the DC back to their workstation, I've been unable to pinpoint what is causing the bad password attempts and inevitable lockout. Here is the part that is scaring the crap out of me: On their workstation, I ran netlogon and found that there are constant account logon tries with totally random usernames that have never been part of our domain. I've pasted a section of the log below, but you can see ADMINISTRATOR is a popular one, along with random first names (LAUREN, JAMES, TECH) as well as random first initial last name combinations (JQUACH, CALEXANDER). These are not users that have ever or currently exist in our domain. The domain field before the \ shows as (null) so I'm guessing it's not actually trying to login to network locations, and just trying for local accounts, but either way... what and why?

I've disconnected this machine and ran several virus detections to no avail. Does anyone have any idea what is going on here?

Mahalo nui loa for any insight.



10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Entered
10/19 15:55:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:07 [LOGON] SamLogon: Network logon of (null)\JQUACH from  Returns 0xC0000064
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:17 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:17 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:34 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:55:50 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:55:50 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Entered
10/19 15:55:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:55:57 [LOGON] SamLogon: Network logon of (null)\ACOINGTON from  Returns 0xC0000064
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Entered
10/19 15:56:06 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:56:06 [LOGON] SamLogon: Network logon of (null)\LAUREN from  Returns 0xC0000064
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:10 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:10 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:26 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:26 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:56:43 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:56:43 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:01 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:18 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:18 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Entered
10/19 15:57:20 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:20 [LOGON] SamLogon: Network logon of (null)\JAMES from  Returns 0xC0000234
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:33 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:33 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Entered
10/19 15:57:34 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)
10/19 15:57:34 [LOGON] SamLogon: Network logon of (null)\JACH from  Returns 0xC0000234
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:57:48 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:57:48 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:07 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:07 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Entered
10/19 15:58:21 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:21 [LOGON] SamLogon: Network logon of (null)\JOYCE from  Returns 0xC0000064
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:23 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:23 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Entered
10/19 15:58:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:58:27 [LOGON] SamLogon: Network logon of (null)\JESSICA from  Returns 0xC0000064
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:37 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:37 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:58:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:58:54 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Entered
10/19 15:59:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:00 [LOGON] SamLogon: Network logon of (null)\JERI from  Returns 0xC0000064
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:11 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:11 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:27 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:27 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Entered
10/19 15:59:32 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:32 [LOGON] SamLogon: Network logon of (null)\SOURCEMED from  Returns 0xC0000064
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 15:59:42 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 15:59:42 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Entered
10/19 15:59:51 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 15:59:51 [LOGON] SamLogon: Network logon of (null)\INGOTS from  Returns 0xC0000064
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:00 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:00 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Entered
10/19 16:00:15 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:15 [LOGON] SamLogon: Network logon of (null)\CALEXANDER from  Returns 0xC0000064
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:16 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:16 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Entered
10/19 16:00:29 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
10/19 16:00:29 [LOGON] SamLogon: Network logon of (null)\ADMIN from  Returns 0xC0000064
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:31 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:31 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Entered
10/19 16:00:47 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc000006a)
10/19 16:00:47 [LOGON] SamLogon: Network logon of (null)\ADMINISTRATOR from  Returns 0xC000006A
0
Comment
Question by:Steph Dames
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 41851374
My first guys, I have seen similar before, ids that someone out something is trying to use that Austen to crack local admin account to install something more maliciousabd possibly try to get network access. vlan that system off so it does not touch your network and run wireshark to see what network communication it is doing.
0
 
LVL 26

Accepted Solution

by:
Dr. Klahn earned 500 total points
ID: 41851389
Download a copy of Microsoft TCP View and install it on the afflicted machine.  Reboot so that the system is supposedly idle.  Run TCP View, watch it, and see what opens connections open to the DC.  One of those processes should be the culprit.

If TCP View fails to reveal the problem process, then Microsoft Process Monitor will reveal it; but this is a high-overhead proposition, so try the easy one first.

Also download a copy of Malwarebytes (run it in stealth mode), and a copy of Spybot - Search and Destroy.

(It would arguably be less work to reload the system from scratch, but it sounds like you want to repair the issue rather than hammer it.)
0
 

Author Comment

by:Steph Dames
ID: 41851396
Yes, unfortunately the machine is a high priority user and rebuilding it may actually end up being more work for me depending on how far I let myself go down this rabbit hole.

Thanks for the help, Gabriel and Dr. Klahn. I'm going to try TCP view first and see what I can find out. mwb unfortunately didn't grab anything as of yet, but I will try spybot also.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 5

Expert Comment

by:mbkitmgr
ID: 41851481
0
 
LVL 77

Expert Comment

by:arnold
ID: 41851519
Run control keymgr.dll and make sure there are no shared resources there that were saved with a password that the user has recently changed.
Make sure there is no service running with the user's credential.

The event log on the server what type of login is being attempted. The type if network would suggest that this system has a shared resource that is being accessed.
Does your auditing policy include the local workstation/system revord login/logout events in the local security eventlog?

What development is occurring on this system?
Any changes within the week prior to this issue?
0
 

Author Comment

by:Steph Dames
ID: 41852910
So, it ended up being an RDP exploit. After a fresh reboot, I ran TCPView while disconnected from the network. After the full boot process seemed to be complete, I connected to the network and watched for anything to try. Nothing came up after several minutes and the netlogon log stayed clean of those random attempts. I one by one started to open programs that use connection, starting with our company's management software. Still no attempts in the log after several minutes and nothing odd in TCPView. I open Outlook and BAM, TCPView shows protocol ms-wbt-server connecting to some remote address in London. I've attached a screenshot. The netlogon also immediately starts showing the random username attempts at this point. I did some quick research and learned that ms-wbt-server is likely the RDP service, so I closed the connected in TCPView and stopped and disabled the RDP service. Instantly, the netlogon was clean and no further connections showed up in TCPView. Just checked again and the log is still clean.

I've since looked into some articles regarding RDP exploits and am running some more scans, as well as a registry clean.

Crazy! Thanks for all your help!
0
 

Author Closing Comment

by:Steph Dames
ID: 41852914
TCPView to isolate the issue worked perfectly. Mahalo nui loa!
0
 
LVL 26

Expert Comment

by:Dr. Klahn
ID: 41852952
Remote Desktop.  Immensely useful, but something that Microsoft should have made "disabled unless manually enabled for this session only by a local user."  Glad to see you got the issue resolved.
1
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 41852967
Great to see you going again.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question