Had a similar issue here, I think it was a conficker variant causing the problem. The event gave the address of the offending PC though so it was easier to track down.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Webster Sent: Tuesday, September 10, 2013 11:31 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] RE: Logon sniffing tool After 3 days of looking, we gave up for now. But this will need to be resolved before they do their AD migration into the parent company. Thanks Webster From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Tuesday, September 10, 2013 10:23 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] RE: Logon sniffing tool Have you found the bad process yet? I am watching my event viewer on the DC's right now waiting for the hit so I can then go into my Procmon and Netmon processes to find it on my machine. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Webster Sent: Tuesday, September 10, 2013 11:09 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] RE: Logon sniffing tool The built-in administrator account. Tens of thousands of 0x12 and 0x18 every day. I saved and cleared all the event logs at 7PM on Wednesday and when we showed up at 8AM Thursday there were already over 358,000 failed logon attempts! Thanks Webster From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Tuesday, September 10, 2013 10:02 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] RE: Logon sniffing tool Just Domain admins? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Webster Sent: Tuesday, September 10, 2013 10:54 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: Logon sniffing tool I faced the same issue last week. We were unable to determine the cause of the mysterious attempts to lockout the domain admin administrator account. There were no services or scheduled tasks that used that account and even using "rundll32 keymgr.dll,KRShowKeyMgr" showed no cached credentials on any of the computers. The DC's security event logs are being flooded with 0x12 and 0x18 errors for eventids 675 and 680. I am interested in also seeing what the lists suggests for tracking this down. Thanks Webster From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Tuesday, September 10, 2013 9:25 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Logon sniffing tool My machine is trying and failing to log into the domain about every 6 minutes. What tool can I use to find the process, service, or program that is attempting to log in with a bad password? Windows 8 64 bit failing with a 2008 AD. Event id 675 code 0x18 Thank you David W. McSpadden Begin Planning Arrange for Reconnaissance and Coordination Make Reconnaissance Complete Plan Issue Order Supervise This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments.
