Locating process with wrong creds

Question

Here wo go. I can't find solution and need help. Problems started when a user changed his password on a new. On my DC i have 4625 event every 1 minute in Security log and user account is blocking. I get from it ip-source from whom attempts to logon are going. But its show me on server from another domain! I check all services, schedules, programms but i can't figure out who use wrong creds. I tried netlogon logging, procmon and process explorer, but i can't find out root of problem. Also 4625 have one strange thing - Workstation name show me name of the DC itself, while ip-source show me on the other server on another domain. I turned off 10.0.5.159 on 10 minutes and new events are stopped! But when i get it online - events starts appear again. I don't know how to locate process that used these wrong creds.

4625 Event from DC
Blocked account:
Account name: pavlov_aa
Account domain: AKRONPLUS

Info about error:
Reason: %%2313
Status: 0xc000006d
Substatus: 0xc000006a

Info about process:
Process ID: 0x280
Name process: C:\Windows\System32\lsass.exe

Network info:
Workstation name: DMS-DC01
Ip source: 10.0.5.159
Port source: 4733

Answer 1

Thank you my friend for advice. I find the reason:

1. I run on my server portable Wireshark with filter "tcp.port==389" - it's LDAP port on which a process send wrong creds. But to find this filter i start from "ip.dst==My_DC_IP" and find out that on my DC on 389 port arriving wrong creds.
   
2. I get range of ports from 418XX-419XX, ports changes every time, but i get a range. Also i have pretty cool timestamp - every 1 minute process try to send wrong creds on my DC.
3. I launch Procmon (with admin privs) from SysInternalSuite with filters for "java.exe" (i suspected it) adn what the most crucial "Operation contains TCP" to get rid off from non-network events
   
4. I get a list network activity for Java and timestamps and ports range perfectly fit with what Wireshark showing me.

5. I watch properties of Java process in Procmon and in commandline i see the culprit - Protectimus. Old, pilot project with trial licnese for 2FA. It was installed 1 year ago.
   
   6. I delete it and all problems are gone.

Old, abandoned programm with trial-license all the time try to establish connection with AD use wrong creds. 4625 Security event on my DC give me the ip-source of troublesome guy, but to find the process i need to start wireshark and procmon to find the reason.

Answer 2

Since you know the offending pc and port number you could
netstat -aonb
then look for the foreign address using port 4733

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

Might also try from a clean boot.
https://support.microsoft.com/en-us/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd

then start any additional one at a time to locate the process or service.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 4

Thank you my friend for help. I find the reason:

1. I run on my server portable Wireshark with filter "tcp.port==389" because LDAP use this port and all connections with wrong password try to send them on this port.
2. It give me a range of source ports that connected to 389. From 417XX to 418XX. Source port changes every time, but i get a narrow range.
   
3. I start "Procmon" (with admins privs) from SysInternalSuite to get history of processes actions
4. In Procmon i use filter for "Java.exe" (because i suspected it) and what the most crucial for "Operation contains TCP" to get rid off from other not network stuff
   
5. I get a list of network activity fo java
   
6. Activity of Java perfectly fit to time where Wireshark see ldap with wrong creds. Also source ports fits in range.
7. I watch Properties of Java process in Procmon and in commandline sections i saw the culprit. Protectimus - programm for 2FA that was installed on this server 1 year ago as pilot project and was abandoned. I delete this guy and all problems are gone.
   

Old abandoned programm with expired trial-license made me start 1 week of searches what blocking user account. 4625 event in my DC give me ip-source of troublesome guy. But to find who send wrong creds i need to launch portable wireshark and start process activity monitoring.

Answer 5

Hello

Thank you for your question and reaching out. I can understand you are having issues related to Locating process.

To isolate the root cause of the issue, you may try running the Windows Sysinternals tools called TCPView on the problematic server.

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.

By using TCPView, we can isolcate which process is scanning the specific ports on that server. We can right-click on the problematic process and select "Process Properties..." to check the detailed information.

Also , Please change password of problematic user.

---------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--