mac addresses can be lies... and they can repeat... joy!


On Fri, Jul 8, 2022 at 12:22 PM JoeSox <joesox@gmail.com> wrote:
Hello,

I have something I have never seen before and was wondering if anyone in the community has seen something like this?

So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x
And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.

I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses.
c2:ea:e4:c5:57:e6
is the MAC in question. I don't fully understand this request. 10.1.2.18 is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
AD Audit provides nonexistent machines making the requests and even blank.
"User account 'Administrator' was locked from computer ''."

image.png

--
Thank You,
Joe