
Hi Henrik,
I am unsure i understand your question properly. What do you mean excatly when you say you can’t hunt down the account?
Best Regards,
Gustav
I monitor for failed authentications on DC’s.
labels: Authentication | Fail | Kerberos | User
My top failed authentications is on one client/one account that I can’t hunt down. I have looked at all process’es and their “credential’s” + installed sysmon on the client. But I can’t find the process or user. Any ideas how I could hunt this down?
Share This Post:
Hi Henrik,
I am unsure i understand your question properly. What do you mean excatly when you say you can’t hunt down the account?
Best Regards,
Gustav
I mean that I can’t find which process on the target is doing the logons. There is nothing in the security or sysmon eventlog on the target, no scheduled tasks, processes, config files with that account. The failed logins accour once a minute.
Hi,
Alirght, that makes more sense.
Can you tell me which event id you get from the failed login events?
Best Regards,
Gustav
event_id=4771
Hi Henrik,
In the user_id field there should be a SID. Can try mappin the SID to the user?
also you can see the reason for failing from the status_code to the error message as seen in the tabel on this link: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
Best Regards,
Gustav
Hi!
SID is mapped to a valid user account in AD, 0x18 is the the status_code.
Hi Henrik,
Could it be a Service Account generating failed logins because of a password change?
https://backstage.forgerock.com/knowledge/kb/article/a62965844
0x18 | Pre-authentication information was invalid | Usually means bad password |
Best Regards
Gustav
Thank you for you answers!
Please sign in to leave a comment.
8 comments