Hey everyone, I could really use your help with an issue we're facing. We've started to see strange account lockouts happening in the last couple of days from computer names that aren't part of our domain. I've checked Active Directory, Intune, and Azure, but none of these names show up anywhere, yet they are still causing user accounts to lock. The logs don't show any source IPs, and the machines aren't pingable either. Our SOC team hasn't figured out where these are coming from yet. There are no duplicate entries in the Palo firewall regarding SSL VPN sessions, and we even shut down all vendor tunnels, but the lockouts continue. Any insights or things I might have missed would be greatly appreciated!
3 Answers
Are you sure you don’t have RDP open? Sounds like a classic case of password spraying. We see that pretty often when RDP or VPN is exposed, even with MFA. Geoblocking might help to reduce those attempts.
It sounds like you're dealing with the 4740 lockout event. Have you checked the 4625 failed login attempts for those accounts? It's worth seeing if you're getting type 3s from specific locations.
Just ran another check and, yep, no entries for 4625, but the 4740 logs are showing a ton of recent lockouts.
You might want to consider if users have any local VMs running on their machines. It could be an issue if they're not updated or secured properly.
That did cross my mind, but it's weird since the names are all different. It's affecting most user accounts now.
I've looked, and oddly enough, there's no source IP tied to any of them. I'll check the 4625 logs again to confirm.