Weirdness in the DC security logs

[Kurt Buff - GSEC, GCIH]

I've got one sysadmin who's getting a *ton* of 4776 authentication
errors in our DC security event logs.

They're 95+% originating from two SAMBA boxes we have, but we've
checked his network connections on his desktop and laptop, and neither
of them have connections to these boxes. I had him check mapped drives
in Explorer, 'net use' at the command line and his web browser - none
of them seem to be talking with these two boxes.

One of the units is a oneblox machine, and the other is a freenas machine.

The error code on all of them is 0xC000006A, which means "Account
logon with misspelled or bad password."

Even more weird is that there are some fraction of the 4776 events
that don't list a source workstation.

It's not locking him out currently, but when he changed his password
last week he was instantly locked out, and was continually locked out
until I allowed him to change his password back - but at the end of
the day we tried again, and the password change took.

Today I've been looking at the logs again, and these machines are
maniacally banging away on his account again.

Does anyone have a clue for me? This isn't making a lot of sense to me,

Kurt

[Mike]

Amy chance there's something using his account on the NAS boxes themselves, like a cron job, directory sync, etc.? Or maybe a share mapped from one NAS to the other under his own account?

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce46bJ3VnVh7Eivuv4OQ%3D0xP6bTeeATbXopC-D%2BqsmFJtA%40mail.gmail.com.

[Orlebeck, Geoffrey]

If you change the password again and he gets locked out, it should generate a 4740 event in the DC security logs. That should contain the computer causing the lockout.

 

Otherwise is there is a service or some other task running under that user's credentials?

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike
Sent: Tuesday, July 7, 2020 3:24 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Weirdness in the DC security logs

 

ATTENTION: This email came from an external sender. If you don't recognize the source and it has unexpected or suspicious links or attachments, click the "Report Email" button (above) or send to: cyberalert @ chomp.org.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNEKuD2Vp1v9ECTYqMdQw888k7HXp5D2rmYMVSdsc2giYA%40mail.gmail.com.

Confidentiality Notice: This is a transmission from Montage Health. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.

[Kurt Buff - GSEC, GCIH]

For the oneblox machine - he's never messed with the config on that,
and only used it as a file share source

For the FreeNAS box, he did set that up, but doesn't believe he used
his account as any part of the config - but we're looking that over to
make sure of it.

But you've raised an interesting possibility - I'm going to have him
look at any copy or sync jobs between the boxes.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNEKuD2Vp1v9ECTYqMdQw888k7HXp5D2rmYMVSdsc2giYA%40mail.gmail.com.

[Kurt Buff - GSEC, GCIH]

I examined all of the 4740 events, and they all reference the oneblox machine.

I think I know what's going on now...

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/1ceb89399d7a41a0a47e21549e2b1c56%40montagehealth.org.

[Kurt Buff - GSEC, GCIH]

Case solved.

Your guess was very close - he had his credentials running copy jobs
on a third box to and from those two boxes.

Since those two boxes were the sources and targets, they were the ones
doing credential validation - the third box apparently was already
satisfied with his credentials.

Once he found and killed the copy jobs, all was good.

Funny thing is, he has complained a lot about a particular previous
employee who left his account scattered in literally hundreds of
scripts, machine names, services account logons, etc.

Kurt

On Tue, Jul 7, 2020 at 4:24 PM Mike <craigs...@gmail.com> wrote:
>

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNEKuD2Vp1v9ECTYqMdQw888k7HXp5D2rmYMVSdsc2giYA%40mail.gmail.com.

[Orlebeck, Geoffrey]

If I had to guess, this was done as a "temporary" setup until it could be done right. We call that "tempo-permanent" around here because "nothing is more permanent than a temporary solution."

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff - GSEC, GCIH
Sent: Wednesday, July 8, 2020 8:30 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Weirdness in the DC security logs

ATTENTION: This email came from an external sender. If you don't recognize the source and it has unexpected or suspicious links or attachments, click the "Report Email" button (above) or send to: cyberalert @ chomp.org.

>> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce46bJ3VnVh7Eivuv4OQ*3D0xP6bTeeATbXopC-D*2BqsmFJtA*40mail.gmail.com__;JSUl!!OCPnJw0!zsG_Y3yDhTL6RR2wnt-ZknQge9QsY4XPrGpKZhUwGcuhrDovCpxC_zQwUE-sVeZc0HOTggm7-w$ .

>
> --
> You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/CA*2BSdsNEKuD2Vp1v9ECTYqMdQw888k7HXp5D2rmYMVSdsc2giYA*40mail.gmail.com__;JSU!!OCPnJw0!zsG_Y3yDhTL6RR2wnt-ZknQge9QsY4XPrGpKZhUwGcuhrDovCpxC_zQwUE-sVeZc0HNtMimyqA$ .

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5pcU6Lbd*3DYHkfyUE-T_8W9DQfHZe0PsyH0565uWo1V2A*40mail.gmail.com__;JSU!!OCPnJw0!zsG_Y3yDhTL6RR2wnt-ZknQge9QsY4XPrGpKZhUwGcuhrDovCpxC_zQwUE-sVeZc0HP3ib3WTw$ .

[Kurt Buff - GSEC, GCIH]

Indeed - it's just ironic that the one who complained got caught by
the behavior about which he complained.

I didn't give him any guff over that - but I might later.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6e70bf02e8e441fb91c554e683f79568%40montagehealth.org.

[Melvin Backus]

That would fall under the "Do as I say, not as I do" doctrine. :)

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

¯\_(ツ)_/¯

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff - GSEC, GCIH
Sent: Wednesday, July 8, 2020 11:30 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Weirdness in the DC security logs

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5pcU6Lbd%3DYHkfyUE-T_8W9DQfHZe0PsyH0565uWo1V2A%40mail.gmail.com.

[Mike]

Yeah, doing things like that will become temporarily permanent real quick. Glad you got it resolved quickly!

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6e70bf02e8e441fb91c554e683f79568%40montagehealth.org.