-1

Some process on a remote server is generating failed log-on attempts for a specific user account. I want to know what process it is.

The account in question started generating these bad password attempts (4771, Failure code: 0x18) immediately after the user changed his password. I assume some utility, service, or application is using cached credentials to try to connect to the domain. I can't track down the process, though.

I enabled audit process tracking (process creation, termination, etc.) but there is no corresponding process that starts at the time the logon failure is logged.

No process name or ID is associated with event 4771. The only thing I have is an associated port. But the port is arbitrary (i.e., dynamic) and is different with every logged event.

The logon failures are intermittent, about one every 2-5 hours, so running procmon for that long is not especially practical, but it may be my only option (the brute-force approach, if you will). Is there a better way?

mwolfe02
  • 193
  • 1
  • 1
  • 12

1 Answers1

0

This is tricky, especially since the 4771 event from Windows doesn't contain a logon ID. It's surprising how difficult it can be to track this down, considering how many events Windows logs.

Have you looked at scheduled tasks?

What I'd recommend is process monitoring, but only enable the network activity monitoring. I think you can also reduce the impact on system performance by reducing the history depth (Options - History Depth). If you then correlate the event with the output from process monitoring, you find out which process is responsible.

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12