I have been trying to track down an issue where one of our staff is getting locked out or their computer. In checking the logs I usually can find the the logs with Error 4776 will tell me which workstation was being used to enter the wrong password, but for this individual the Domain Controller is listed as the source workstation.
AV - Alert - "1490362410" --> RID: "18105"; RL: "4"; RG: "windows,"; RC: "Windows audit failure event."; USER: "(no user)"; SRCIP: "None";
HOSTNAME: "(DC1) 192.168.xxx.xxx->WinEvtLog"; LOCATION: "(DC1) 192.168.xxx.xxx->WinEvtLog"; EVENT: "[INIT]2017 Mar 24 09:33:28 WinEvtLog:
Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing: (no user): no domain: DC1.Mydomain.com: The domain controller
attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: firstname.lastname
Source Workstation: DC1 Error Code: 0xc000006a[END]";