question

Doria avatar image
0 Votes"
Doria asked Doria answered

How to capture invalid login attempts?

Hi team!

What would be the best way to capture, at the workstation, what is the process that triggers invalid logon attempts against our file server? Procmon.exe? Audit?

40173-untitled.png



Hope I was clear enough.


windows-serverwindows-server-2019
untitled.png (22.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered LeonLaude edited

Hi @Doria,

I would suggest enabling audit logging on your Domain Controllers (DCs), then you may capture failed logon attempts.
How to Audit Successful Logon/Logoff and Failed Logons in Active Directory


(If the reply was helpful please don't forget to upvote or accept as answer, thank you)


Best regards,
Leon


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Doria avatar image
0 Votes"
Doria answered LeonLaude commented

Thanks for your answer.

I've done this! Now I need to find out WHAT is causing that on the workstation! What would be the best approach?


Regards.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This may be difficult for us to know, you need to check the events what they say, especially event ID 4625.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

You can also have a look at more advanced audit logging options:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings

0 Votes 0 ·
Doria avatar image
0 Votes"
Doria answered

On time, I need to find out which command, or service, or program is causing the various attempts.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

Try to install Process Monitor on the server and capture what's happening during Failed Login attempts. Detailed information here:
DC causing multiple Failed Login Attempt Errors
https://community.spiceworks.com/topic/2203205-dc-causing-multiple-failed-login-attempt-errors
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Doria avatar image
0 Votes"
Doria answered

Hi everyone!

Well, I was finally able to find what causes, from a workstation, invalid login attempts to the file server. Using procmon and scheduling its execution through a scheduled task, I was able to discover that the logon failure occurs from a GPO that runs a batch script to map a user network drive. The strange thing is that the GPO is for the user, not the computer. Perhaps, the login attempt was made using the system account! Weird. How to understand this?

41888-2.png
41889-4.png
41925-1.png
41836-3.png



2.png (200.4 KiB)
4.png (19.7 KiB)
1.png (23.0 KiB)
3.png (27.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Doria avatar image
0 Votes"
Doria answered

Hi everyone!

Did anyone understand my last post? Is it normal for a user GPO to run the logon script using the 'NT AUTHORITY\SYSTEM' system account? Is that the expected behavior?


Regards.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.