search cancel

Suspicious account in Windows security log during import job

book

Article ID: 229618

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

While the import job is running, sometimes we are seeing a wrong account in the security log (Chinese characters). Why do we have this behavior? 

Here's a sample of the security log from the Windows server: 

<13>Oct 21 04:42:48 10.116.24.130 AgentDevice=WindowsLog	AgentLogFile=Security	PluginVersion=7.2.4.86	Source=Microsoft-Windows-Security-Auditing	Computer=SERVER01.XYZ.CORP.COM	OriginatingComputer=10.150.XX.130	User=	Domain=	EventID=4648	EventIDCode=4648	EventType=8	EventCategory=12544	RecordNumber=111333026	TimeGenerated=1634805767	TimeWritten=1634805767	Level=0	Keywords=0	Task=0	Opcode=0	Message=A logon was attempted using explicit credentials.  Subject:  Security ID:  NULL SID  Account Name:  -  Account Domain:  -  Logon ID:  0x860f  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Account Whose Credentials Were Used:  Account Name:  䱔杯楆敬敓敶楲  Account Domain:  T  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Target Server:  Target Server Name: SERVER01.XYZ.CORP.COM Additional Information: SERVER01.XYZ.CORP.COM  Process Information:  Process ID:  0x7dc  Process Name:  C:\Program Files (x86)\CA\Identity Manager\Connector Server\ccs\bin\im_ccs.exe  Network Information:  Network Address: -  Port:   -  This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 

 

Resolution

Only the admin account for the connector server should be running im_ccs.exe, so the attempt by the Chinese user account does seem to be suspicious. There is nothing in the Broadcom Identity product that can cause an unauthorized account to log in or RUNAS, so please contact your Windows administrators and your network security teams to investigate further how the user is attempting to log on.