Windows Server 2012 R2 - Help finding failed logon attempts source
I'm seeking help for this issue that I'm having in our AD domain controller where a lot of security events are being logged due to failed logon attempts by a (former) domain user that has been disabled and subsequently deleted. I'm trying to pin-point the origin of these attempts but so far unsuccessfully. One of the biggest challenges is that the origin of the attempts seems to come from within the domain controller itself and is triggered by svchost.exe (which doesn't really help). At some point this user was an administrator account, if that is of relevance to the matter.
What I have tried so far:
Querying Scheduled Task to see if any was being called by that username, but no luck finding anything relevant to the username or time of event:
schtasks /query /v /fo csv > sched_tasks.csvUsing ProcMon to try to find any commonality between the event and the processes' actions that are being recorded by ProcMon, but this is proving laborious and unfruitful.
Searching the registry for that username, but nothing of interest was found.
I'm not sure what other options I have, to try and get to the root of these failed logon attempts. Looking at the events themselves doesn't give me any particular clues, the timings are also not meaningful to me. Sometimes I have 3 attempts in a row, separated by 10 or 20 seconds each, other times it will go 30 minutes, 1 hour, 5 hours, etc., without logging anything from this particular username.
I'll share 4 of the most common events that this user triggers, but I'll note that the 4th event, related to Kerberos Authentication Service, is not usual. Usually I'll just get the first 3 (Logon, Credential Validation, Logon). These events have the same time of logging, but if the event viewer is correct then the bottom event is older (in sequence) than those above it.
Keywords: Audit Failure
Date and Time: 19/07/2017 16:18:39
Event ID: 4768
Task Category: Kerberos Authentication Service
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: deleteduser
Supplied Realm Name: CONTOSO
User ID: NULL SID
Service Information:
Service Name: krbtgt/CONTOSO
Service ID: NULL SID
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
_
Keywords: Audit Failure
Date and Time: 19/07/2017 16:18:39
Event ID: 4625
Task Category: Logon
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: deleteduser
Account Domain: CONTOSO
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: SRV01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
_
Keywords: Audit Failure
Date and Time: 19/07/2017 16:18:39
Event ID: 4776
Task Category: Credential Validation
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: deleteduser
Source Workstation: SRV01
Error Code: 0xC0000064
_
Keywords: Audit Success
Date and Time: 19/07/2017 16:18:39
Event ID: 4648
Task Category: Logon
A logon was attempted using explicit credentials.
Subject:
Security ID: NETWORK SERVICE
Account Name: SRV01$
Account Domain: CONTOSO
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: deleteduser
Account Domain: CONTOSO
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: srv01.CONTOSO.local
Additional Information: srv01.CONTOSO.local
Process Information:
Process ID: 0x2b8
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
_
Thank you in advance for your help.
Have a nice day!
1 Answer
I found the source of these events, and I'm surprised that it took me so long seeing that I had been close to it a couple days ago.
I started carefully looking at the logs again and analyzing every line of information for a lead. One of those leads, which I had pursued before, is found in the first logged event (last on the list above), namely Event ID 4648:
Keywords: Audit Success
Date and Time: 19/07/2017 16:18:39
Event ID: 4648
Task Category: Logon
A logon was attempted using explicit credentials.
Subject:
Security ID: NETWORK SERVICE
Account Name: SRV01$
Account Domain: CONTOSO
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: deleteduser
Account Domain: CONTOSO
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: srv01.CONTOSO.local
Additional Information: srv01.CONTOSO.local
Process Information:
Process ID: 0x2b8
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Take notice at the bold part "Process ID: 0x2b8"
This translates to 696, in decimal format. So I opened Task Manager and located the process running with that PID, right-clicked on it and selected Go to service(s). As was the case a couple of days ago, it pointed to DHCPServer service which, like many others, is run from svchost.exe process.
I opened DHCP snap-in, but this time around I took my time to look at every option in sight, eventually I found the culprit: IPv4/IPv6 - DNS dynamic update registration credentials (IPv4/IPv6 Properties > Advanced > Credentials). The evasive user had it's credentials saved there. I created a new user for that role alone and used the new credentials to replace the deleted user, then restarted DHCP Server service. So far so good.
ner0User contributions licensed under CC BY-SA 3.0