I have something I have never seen before and was wondering if anyone in the community has seen something like this?
So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x
And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.
I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses.
is the MAC in question. I don’t fully understand this request. 10.1.2.18 is the mystery ip that doesn’t ping, 10.1.3.9 is the DC.
AD Audit provides nonexistent machines making the requests and even blank.
“User account ‘Administrator’ was locked from computer ‘’.”
mac addresses can be lies… and they can repeat… joy!
Fri, Jul 08, 2022 at 12:43:49PM -0400, Christopher Morrow:
mac addresses can be lies... and they can repeat... joy!
eg; Wi-Fi MAC Randomization – Privacy and Collateral Damage
I think that is a randomized address. Look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address. Per https://www.mist.com/get-to-know-mac-address-randomization-in-2020/
Technically the right most is multicast bit, the 2nd right most is locally assigned, it doesn’t imply randomisation, it is unknowable how it was assigned.
The vendor code C0-EA-E4 looks like Sonicwall.
It’s not going unusual for a device take a global address on the device and flip the local bit for some other use.
Any MAC address with the 2 bit set in the first byte (e.g. c2) is
locally generated. Those are x2, x6, xA and xE. Typically this means a
virtual machine but not always.
Best bet: trace it through your switch. If you have managed switches,
they know which port any given mac address came from. You can trace
that back to the machine and then look at the virtual switch on the
machine to figure out which VM.
Incidentally, the 1 bit in the first byte means broadcast (1) or unicast (0).
Looks like that MAC is our Sonicwall firewall and the packets are coming in from upstream on a shared VLAN but not a shared subnet (not sure how this is happening).
Our sonicwall shows one virus hit on one of the new 10.1.2.0 addresses (upstream subnet) seen today.
Thanks for all the responses. The upstream is investigating now.