Tracking Account Usage on Domain Environment
Operating Systems:
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Domain controller successfully authenticates a user via NTLM Protocol:
4776: The domain controller attempted to validate the credentials for an account
Logon Account: name of the account
Source Workstation: computer name where logon attempt originated
Error Code:
C0000064 - user name does not exist
C000006A - user name is correct but the password is wrong
C0000234 - user is currently locked out
C0000072 - account is currently disabled
C000006F - user tried to logon outside his day of week or time of day restrictions
C0000070 - workstation restriction
C0000193 - account expiration
C0000071 - expired password
C0000224 - user is required to change password at next logon
C0000225 - evidently a bug in Windows and not a risk
Domain controller successfully authenticates a user via Kerberos Protocol:
4768: A Kerberos authentication ticket (TGT) was requested (Successful logon)
Account Name: logon name of the account that just authenticated
Client Address: IP address where user is present
4771: Kerberos pre-authentication failed
Account Name: logon name of the account that just authenticated
Client Address: IP address where user is present
Failure Code: 0x18 - Pre-authentication information was invalid
4769: A Kerberos service ticket was requested(Access to server resources)
Account Name: logon name of the account that just requested the ticket
Client Address: IP address where user is present
Service Name: the account name of the computer or service the user is requesting the ticket for
Monday, April 16, 2018
Tracking Account Usage on Local Window System
Tracking account usage for known compromised accounts.
Event IDs:
4624: An account was successfully logged on
4625: An account failed to log on
4634: An account was logged off
4647: User initiated logoff
4648: A logon was attempted using explicit credentials (Runas)
4672: Account logon with superuser right (Administrator)
4720: A user account was created
4778: A session was reconnected to a Window Station
4779: A session was disconnected from a Window Station
Event IDs:
4624: An account was successfully logged on
4625: An account failed to log on
4634: An account was logged off
4647: User initiated logoff
4648: A logon was attempted using explicit credentials (Runas)
4672: Account logon with superuser right (Administrator)
4720: A user account was created
4778: A session was reconnected to a Window Station
4779: A session was disconnected from a Window Station
Subscribe to:
Posts (Atom)