locked
Suspicious Computer account reset RRS feed

  • Question

  • Hello experts,

    We are getting the multiple log with event id 4724 for many servers . I have replaced the actual name with generic names.

    There are near to 20 events in 24 hours. Could somebody explain the reason of such events

    Thank you.

    ===========================
    Event Origin Details:
                    Date:                      9/11/2012
                    Time:                      10:04:37 AM
                    Type:                      Success Audit
                    Username:            
                    Computer:             XXXX.XXXX.local
                    Source:                  Security-Auditing
                    Category:                               User Account Management
                    Event ID:                                4724
                    Internal Event ID: C89ED46356243
                    In Work Hours:     Yes

    Event Refers Administrator User : No

    An attempt was made to reset an account's password.
    Subject:
                    Security ID:                           NT AUTHORITY\SYSTEM
                    Account Name:                    <server name>$
                    Account Domain:                 <domain name>
                    Logon ID:                               0x3E7
    Target Account:
                    Security ID:                           <servername>\Administrator
                    Account Name:                    Administrator
                    Account Domain:                 E< server name>

    ============================

    Sunday, September 16, 2012 10:05 AM

Answers

  • This looks to be some trying to enumerate the password of the server internally/external or virus/worm trying to perform brute/dictionary attack on the server for gaining access to the server data. My suggestion is use real time monitoring tool to identify the source of the originating request either using Netmon/Wireshark tool to find source for the such request generation.

    If it comes from internal machine disable the machine or if its external block the unknown request at the gateway or firewall level using IDP/IPS/IDPS (intrusion detection & prevention)devices.

    This is the way, you can get to the root of the issue.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Andy Qi Tuesday, September 18, 2012 5:14 AM
    • Marked as answer by Andy Qi Thursday, September 20, 2012 10:03 AM
    Monday, September 17, 2012 11:09 AM
  • 4724: An attempt was made to reset an accounts password.This monitor returns the number of times a user or process resets an account password through an administrative interface, such as Active Directory Users and Computers, rather than through a password change process.

    Reference link:
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    • Edited by Sandesh Dubey Monday, September 17, 2012 1:47 AM
    • Proposed as answer by Meinolf Weber Monday, September 17, 2012 8:04 AM
    • Marked as answer by Andy Qi Thursday, September 20, 2012 10:03 AM
    Monday, September 17, 2012 1:27 AM

All replies

  • 4724: An attempt was made to reset an accounts password.This monitor returns the number of times a user or process resets an account password through an administrative interface, such as Active Directory Users and Computers, rather than through a password change process.

    Reference link:
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    • Edited by Sandesh Dubey Monday, September 17, 2012 1:47 AM
    • Proposed as answer by Meinolf Weber Monday, September 17, 2012 8:04 AM
    • Marked as answer by Andy Qi Thursday, September 20, 2012 10:03 AM
    Monday, September 17, 2012 1:27 AM
  • This looks to be some trying to enumerate the password of the server internally/external or virus/worm trying to perform brute/dictionary attack on the server for gaining access to the server data. My suggestion is use real time monitoring tool to identify the source of the originating request either using Netmon/Wireshark tool to find source for the such request generation.

    If it comes from internal machine disable the machine or if its external block the unknown request at the gateway or firewall level using IDP/IPS/IDPS (intrusion detection & prevention)devices.

    This is the way, you can get to the root of the issue.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Andy Qi Tuesday, September 18, 2012 5:14 AM
    • Marked as answer by Andy Qi Thursday, September 20, 2012 10:03 AM
    Monday, September 17, 2012 11:09 AM
  • I know this is an old post, but I was having a similar problem and wanted to share what I found, as no one else has mention what we had going on.  The cause of the message on our systems was that one of our other sys admins had setup a group policy to set the password for the local admin account and that is what was causing the messages.  Hopefully this can help others in the future.
    • Proposed as answer by brascon Tuesday, January 21, 2014 9:28 AM
    Friday, December 6, 2013 10:29 PM