Caller computer name is go-ntlmssp? Expand / Collapse
Author
Message
Posted 3/22/2017 1:22:23 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/22/2017 11:51:04 AM
Posts: 1, Visits: 0
Has anyone seen the caller computer name as go-ntlmssp before? We're tracking Event 4740 and sending alerts through Splunk, and we keep seeing events like this:

A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DOMAINDC1$
Account Domain: DOMAIN
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: DOMAIN\Administrator
Account Name: Administrator

Additional Information:
Caller Computer Name: go-ntlmssp

I'm trying to help my security admin track down these misleading alerts and I'm fairly certain we don't have a device called go-ntlmssp on our network. A quick Google search shows this is the name of an API for Azure Sync but I don't know enough about how that works or how it relates to what I'm seeing. Any ideas as to why the Caller Computer Name would display that or where it's getting that info from?
Post #7342
Posted 3/26/2017 3:36:49 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 234, Visits: 0
It appears that "go-ntlmssp" is a package for NTLM/Negotiate authentication over HTTP that is found on Github. It is possible that the caller is identified this way because of the package that is being used. I think you would have to contact someone that created this package to understand how it is used and why this might be happening. It looks like the package is located at https://github.com/Azure/go-ntlmssp.
Post #7347
Posted 4/12/2017 12:06:44 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/12/2017 12:02:46 PM
Posts: 1, Visits: 0
I'm having a similar issue to this, however, there is no Caller Computer Name listed. Included the Event description

A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DCSERVER$
Account Domain: DOMAIN
Logon ID: 0x3e7

Account That Was Locked Out:
Security ID: DOMAIN\user
Account Name: user

Additional Information:
Caller Computer Name:

The user's account is locked out immediately after it is unlocked, there is less than a minute between the 4767, and the 4740 events. Thanks!
Post #7360
Posted 5/3/2017 12:55:19 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 234, Visits: 0
Have you tried to look into login and authentication failure events? this will help you track down how the account is getting locked out. Look for the username in those events and look for a source.
Post #7364
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:46am