0

I'm trying to trackdown the Computer/Device that has a bad password for one of our Domain Admin accounts that gets used as a shared/service account.

The only details I have is a recurring event in the event viewer on our domain controllers. It recurs every 30 to 32 mins.

Security,04/11/2018,14:38:46 PM,Microsoft-Windows-Security-Auditing,4776,Information,Failure Audit,Credential Validation,ADMINDUDE,DC01.mydomain.com,IP:10.1.1.90,4776,The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: ADMINDUDE Source Workstation: GS-821450430543CV Error Code: 0xc000006a

This workstation, GS-821450430543CV, name doesn't exist in DNS, DHCP, Active Directory. This is the real workstation name in the event log - I'm hoping someone has seen it before and might be able to tell me what type of device it is.

On one of our Domain Controllers: I have run a wireshark and searched for this name by Edit > find Packet > string. I have run the Sysinternals ProcMon and searched the capture file. I have the capture open in MS Message Analyser but haven't worked out how to do a keyword search yet.

Environment overview: Windows 2008R2 Domain Controllers, mostly Windows clients/servers, a few Linux appliance application servers, approx 200 servers, 300 workstations, 20x Terminal servers.

When ADMINDUDE was on Scheduled tasks on Windows Servers, the real workstation name or IP came up in the event log. Even when used as an LDAP authentication account on a Linux appliance, the event gave us more detail.

Any tips on finding this 'rogue' computer? Any tips on searching the captures I already have?

Update: Ran the Netlogon Debug (as suggested by JoeQwerty) and I now have more info. So now I am going to run all the tests again from Exchange.

04/13 13:47:14 [LOGON] DOMAIN: SamLogon: Transitive Network logon of domain\ADMINDUDE from GS-821450430543CV (via EXCHANGE) Entered

04/13 13:47:14 [LOGON] DOMAIN: SamLogon: Transitive Network logon of domain\ADMINDUDEfrom GS-821450430543CV (via EXCHANGE) Returns 0xC000006A

Update 2: FOUND IT! Event log search for Audit Failure on Exchange for the exact same time showed its IP in the Network information of the Event. It was a Polycom that had been off the network for months and someone must have plugged it back in recently.

Community
  • 1
Gre
  • 85
  • 4
  • 13
  • 2
    Try enabling Netlogon debug logging to see if you get better information from the netlogon log. - https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service – joeqwerty Apr 12 '18 at 11:32
  • @joeqwerty your tip led to the answer, if you put it in a post I will mark it as the answer if you want. – Gre Apr 13 '18 at 04:46
  • If you go to Windows Explorer, and then click on Network, does the machine show up in there? Can you ping GS-821450430543CV? Can you remote to \\GS-821450430543CV\C$ and see what user accounts are on that machine? A network mapping tool might pick up that particular machine, and show you what that machine is connected to as well. In addition if you go onto DHCP console you might be able to see what IP address the machine GS-821450430543CV has. That's a good start. – joshgoldeneagle Apr 13 '18 at 00:12
  • Thanks for your reply. I can't ping because there is no name resolution. I haven't been able to find its IP. I've gone through the DNS and DHCP. Connecting to C$ doesn't work and its not in explorer network list. Network mapping tool doesn't have a device with that name. – Gre Apr 13 '18 at 01:25

0 Answers0