Solved

how to track the source of audit failures?

Posted on 2014-09-14
13
545 Views
Last Modified: 2014-12-19
Our domain controller is windows 2008 R2.  Lately, I've been noticing many audit failures under the security logs and corresponding directory service errors (error 12294) under the system logs.  The system error states that the administrator account cannot be locked out.  I've copied the audit failure result below:

How can I track down the source of the failed attempts?

An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            our domain controller$
      Account Domain:            our domain
      Logon ID:            0x3e7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            Administrator
      Account Domain:            our domain

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x230
      Caller Process Name:      C:\Windows\System32\lsass.exe

Network Information:
      Workstation Name:      our domain controller
      Source Network Address:      address of our sonicwall
      Source Port:            1559

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

Under details, I get:

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4625
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8010000000000000
 
  - TimeCreated

   [ SystemTime]  2014-09-15T00:48:06.692639500Z
 
   EventRecordID 112677147
 
   Correlation
 
  - Execution

   [ ProcessID]  560
   [ ThreadID]  3592
 
   Channel Security
 
   Computer our domain controller
 
   Security
 

- EventData

  SubjectUserSid S-1-5-18
  SubjectUserName our domain controller$
  SubjectDomainName our domain
  SubjectLogonId 0x3e7
  TargetUserSid S-1-0-0
  TargetUserName Administrator
  TargetDomainName our domain
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc000006a
  LogonType 3
  LogonProcessName Advapi  
  AuthenticationPackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  WorkstationName our domain controller
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0x230
  ProcessName C:\Windows\System32\lsass.exe
  IpAddress the address of our sonicwall
  IpPort 1559
0
Comment
Question by:akyuen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 12

Accepted Solution

by:
trinitrotoluene earned 500 total points
ID: 40322330
LogonType 3 shows that the login happened from your network.

You also have the event ID and EventRecordID. Can you try checking the event log for entries created around the same time?

The event log doesn't log every audit event though.
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40322334
ensure that all shares on this particular machine are disabled till you sort out this issue
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40322336
Network Information:
      Workstation Name:      our domain controller
      Source Network Address:      address of our sonicwall
      Source Port:            1559


The network info should give info about where the login attempt originated from
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:akyuen
ID: 40322351
The network information shows that the workstation name is my domain controller and that the source network address originates from my sonicwall.  Does that mean that there's a network connection trying to log on directly into my domain controller?
0
 

Author Comment

by:akyuen
ID: 40322353
there are no shared drives or folders on the domain controller.
0
 

Author Comment

by:akyuen
ID: 40322357
What I'm confused about is whether this is an attempt to log into the domain controller or is something trying to access a shared file or folder on another server (perhaps my file server), which is AD integrated.
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40322363
have you tried my first comment : check and correlate with the event log for events happening around the same time

The attempt has definitely originated at the workstation identified by the "workstation" under Network Information. An event id of 4625 could  also mean a failed attempt to just access a shared file/folder
0
 

Author Comment

by:akyuen
ID: 40322367
There's nothing in the event log on the domain controller that correspond to the frequency or duration of these errors.
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40322386
The source of these errors could be anything, the below is what I'm familiar with

1)ftp login failures. Check your ftp log
2)login via basic authentication over http/https....potentially dangerous if its unauthorised
3)ASP scripts
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40322388
Check the frequency and timing of these login failure logs. That might also give you a clue as to the source
0
 

Author Comment

by:akyuen
ID: 40322429
I get an audit failure every 7 seconds...
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40322442
so its probably an automated task/cron job that's running periodically on the DC
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40322850
i would also recommend looking at the Application log for entries occurring at about the same time
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question