Administrator account keeps getting locked out. Can't trace source

Question

The Administrator account keeps getting locked out. The Event logs and Netlogon logs confirm that the account is getting locked out, but the source computer name isn't provided (it is blank). See screenshots below are from the Event log and Netlogon log. How can I find the source of the account lockout? Thanks!

Could there be a Windows service configured to run as the Administrator account with the wrong password? — Matt Houser, Oct 21 '16 at 17:54

score 1 · Answer 1 · answered Oct 21 '16 at 19:02

I was able to resolve the issue by turning on NTLM auditing under the Local Security Policy. (Local Security Policy\Local Policies\Security Options\Restrict NTLM Audit)

It appears that an attacker was trying to gain access by brute forcing RDP authentication. The NTLM gave me the name of the computer with open RDP access and I was able to to resolve the issue by locking it down.

score 0 · Answer 2 · answered Oct 21 '16 at 16:36

0

Run a netmon packet capture and correlate the event log entries with the connection attempts in the capture.

answered Oct 21 '16 at 16:36

Greg Askew

35,880
5
54
82

I've ran a wireshark capture on the DC and all the IP's that are hitting it are local (i.e. there is nothing foreign hitting the server). The only traffic that seems to be hitting it is normal domain controller type traffic. Is there anything specific I need to be looking for? – rb195048 Oct 21 '16 at 17:02
`I've ran a wireshark capture on the DC and all the IP's that are hitting it are local` - How would a non-local host get access to your DC? Are you thinking a remote user or smartphone/tablet? – joeqwerty Oct 21 '16 at 17:36

Administrator account keeps getting locked out. Can't trace source

2 Answers2