topic Re: Seeing continous "Windows Account Locked" alert in Cisco IPS in Network Security

Seeing continous "Windows Account Locked" alert in Cisco IPS

mustafa.papdheen — Sun, 10 Mar 2019 12:17:12 GMT

Hi,

Can any one have any idea on why we are seeing huge number of "Windows Account Locked" alert in Cisco IPS device towards only one Windows server.

We checked whether Windows server is generating any malicious traffic by scanning the server but nothing is found

Feb 23 2011 20:05:47	Windows Account Locked	Cisco Intrusion Prevention System
Feb 23 2011 20:05:32	Windows Account Locked	Cisco Intrusion Prevention System
Feb 23 2011 20:04:47	Windows Account Locked	Cisco Intrusion Prevention System
Feb 23 2011 20:04:32	Windows Account Locked	Cisco Intrusion Prevention System
Feb 23 2011 20:03:47	Windows Account Locked	Cisco Intrusion Prevention System
Feb 23 2011 20:03:32	Windows Account Locked	Cisco Intrusion Prevention System
Feb 23 2011 20:02:47	Windows Account Locked	Cisco Intrusion Prevention System
Feb 23 2011 20:02:32	Windows Account Locked	Cisco Intrusion Prevention System

Re: Seeing continous "Windows Account Locked" alert in Cisco IPS

PAUL GILBERT ARIAS — Fri, 04 Mar 2011 03:13:31 GMT

do you have the signature ID?

Re: Seeing continous "Windows Account Locked" alert in Cisco IPS

Siddharth Chandrachud — Fri, 04 Mar 2011 06:27:10 GMT

How are you seeing the events ? What are you using to check the events ? IDM, IME ? Send a screenshot the exact event. In the event details, there would be a signature id. That signature id will tell us what the signature is designed to match on.

Sid Chandrachud

Cisco TAC - Security team

Re: Seeing continous "Windows Account Locked" alert in Cisco IPS

mustafa.papdheen — Fri, 04 Mar 2011 08:48:19 GMT

Hi,

Thanks for your response. When i lookup up further, Ciscp IPS vulnerability reference page :http://tools.cisco.com/security/center/viewIpsSignature.x?

Signature ID : signatureId=5605

Target Port =445.

Regards

Papdheen M

Re: Seeing continous "Windows Account Locked" alert in Cisco IPS

Siddharth Chandrachud — Sat, 05 Mar 2011 19:16:53 GMT

Mustafa,

Here are the signature details:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5605&signatureSubId=0&softwareVersion=6.0&releaseVersion=S262

This signature detects a Windows SMB user account that has been locked on the Windows server due to multiple failed logon attempts, via the "STATUS_ACCOUNT_LOCKED_OUT" message returned to the client.

This signature severity is set by default to 'informational'

Hence all the signature is doing is leeting you know some users were locked out due to multiple logon attempts.

The event details will also reveal victim ip which might be the machine on which the logon attempts were tried.

Let me know if this addresses your concern.

- Sid

Re: Seeing continous "Windows Account Locked" alert in

mustafa.papdheen — Sun, 13 Mar 2011 10:51:46 GMT

Dear Sid,

Thanks for your response. Actually attacker IP is a database server joined in domain and attacker username is showing as empty"

Server is running with latest AV signature.

Attacker IP - Database server(server itsefl)

Destination- Active Direcotry server

Destination Port - 445

More information will be helpful to isolate the problem.

Regards

Papdheen M