locked
how do you interpret event 4776? RRS feed

  • Question

  • Windows Server 2008 R2

    i have this user AD account that keeps getting locked. i'm trying to find the source (yes i've checked the usual places) of his account lockout and, well, what i got from event viewer doesn't mean anything to me.

    just look at the "Logon Account" field. what is that "-$" !?

    sometimes the value is ADMIN or BIO or UNION2SUPPORT or SDCRADMINL5DCR47!9 or OFFICE or MANAGER or something else.

    what's going on? how do i use event id 4776?

    Sunday, March 10, 2019 7:19 AM

Answers

All replies

  • so i got an explanation from

    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4776

    and from i can understand, someone is trying login or guess an account but failed. what's bothering me is the source workstation which is just MSTSC. how do i trace where is that? it's not as per our computer naming standard also.

    Sunday, March 10, 2019 7:25 AM
  • Hi,

    This event generates every time that a credential validation occurs using NTLM authentication.

    From the picture above, we can see the error code 0xc0000064 indicates that the username you typed does not exist. Bad username.

    About Security Monitoring Recommendations, please refer to: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776#security-monitoring-recommendations

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 11, 2019 7:00 AM
  • hi, yeah it looks like someone is trying to guess the credentials.

    anyone know how to find this out in wireshark? since the source workstation is unknown.

    Monday, March 11, 2019 7:33 AM
  • Hi,

    It's recommended to submit this case in wireshark forum as they will be more professional on your case: 

    Wireshark forum: https://ask.wireshark.org/questions/

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 13, 2019 6:43 AM
  • hi,

    did that already before posting here. that wireshark forum is not that responsive.

    thanks anyway.

    Wednesday, March 13, 2019 8:37 AM
  • Hi Reno,

    just a suggestion, run the wireshark on DC end (impacted server) and check the filter out the communication on port 3389 (default).

    You might be able to catch the source address with this.

    Wednesday, March 13, 2019 8:43 AM
  • good idea.

    however, by chance we found where the attack is coming from and were able to isolate the VLAN.

    Thursday, March 14, 2019 12:20 PM
  • Great, Please close this thread as answered
    Friday, March 15, 2019 6:38 AM