Hey everyone, I could use some help troubleshooting an issue we started experiencing two days ago. We're seeing strange account lockouts that are linked to machine names not belonging to our domain. I've checked Active Directory, Intune, and Azure, and I cannot find these names anywhere. The lockouts are happening without an obvious source IP, and these machines aren't responding to pings either. Our Security Operations Center is trying to figure this out, but we haven't made much progress. We haven't spotted any duplicate entries in the Palo Alto firewall for multiple SSL VPN sessions or any failed sessions either. We even shut down all vendor tunnels, but the lockouts are still happening. Any thoughts on what else I should investigate?
3 Answers
You might want to check if any users have local VMs running on their machines. Sometimes, these can generate unexpected behavior like this.
Are you sure you’ve got RDP access secure? It’s pretty common for password spraying attacks to happen when RDP or VPNs are open, even with MFA active. Implementing geoblocking could help reduce the frequency of these lockouts.
It sounds like you’re facing the 4740 lockout event. Have you checked how the 4625 failed logins look for those accounts? It’s important to find out if those are coming from anywhere specific, especially type 3 logs. Knowing the source can really help track down the issue.
I haven’t seen any source IPs linked to these lockouts, which is really strange. I’ll take another look at the 4625 logs to see if anything pops up.
Just checked again, and there’s nothing for 4625, but the 4740 logs are flooding with new lockouts!
That crossed my mind too, but the crazy part is that the computer names keep changing. Today they look different than yesterday's entries, and it's affecting almost all user accounts now.