Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
Camry152020-04-28 17:08:47
Information Security
Camry15, 2020-04-28 17:08:47

How do I specify the account when auditing a failure?

Set up login auditing. For verification, it will decide to enter the password incorrectly a couple of times, then in the event log, in the login failure audit, I noticed that the field with the account name is not specified. How can I fix this to show which user was trying to log in?

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/28/2020 4:56:48 PM
Event ID: 4625
Task Category: Logon
Level: Details
Keywords: Failure Auditing
User: N/
A Computer: DESKTOP-BITQR9N
Description :
The account failed to log in.

Subject: SID
: SYSTEM
Account name: DESKTOP-BITQR9N$
Account Domain: WORKGROUP
Login ID: 0x3E7 Login

Type: 2

Failed Login Account
: SID: NULL SID
Account Name: -
Account Domain: -

Error Details
: Error Reason: Login failed.
State: 0xC000006D
Substate: 0xC0000380 Process Detail

:
Caller Process ID: 0x6c0 Caller Process
Name: C:\Windows\System32\svchost.exe

Network Detail: Workstation Name
: -
Source Network Address: 127.0.0.1
Source Port: 0

Authentication Details:
Login Process: User32
Authentication Package: Negotiate
Intermediate Services: -
Package Name (NTLM only): -
Key Length: 0

This event occurs when a login attempt fails. It is registered on the computer that was attempted to be accessed.

The Subject fields indicate the local system account that requested the logon. This is usually a service, such as the Server service, or a local process, such as Winlogon.exe or Services.exe.

The Login Type field indicates the type of login that was made. The most common are types 2 (interactive) and 3 (network).

The Process Detail fields indicate which account and process on the system made the login request.

The Network Information fields indicate the source of the remote login request. The workstation name is not always available, and in some cases this field may be left blank.

The authentication information fields contain details about a specific login request.
- The "Intermediate Services" field indicates which intermediate services participated in this login request.
- The "Package Name" field indicates the subprotocol used with the NTLM protocols.
- The "Key Length" field contains the length of the generated session key. This field can be "0" if no session key was requested.
event xml:






Security
DESKTOP-BITQR9N



S-1-5-18
DESKTOP-BITQR9N$
WORKGROUP
0x3e7
S-1-0-0
-
-
0xc000006d
%%2304
0xc0000380
2
User32
Negotiate
-
-
-
0
0x6c0
C:\Windows\System32\svchost.exe
127.0 .0.1
0

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
R
Raybul2022-02-25 14:45:50
How to create n number of keys in mongoose schema? 4Reply
I
Ivan Pogorelov2014-05-24 16:04:45
It looks like a virus. iOS 2Reply
I
Ivanushka2552022-01-26 20:51:57
How does sameSite protect the user from information leakage? 0Reply
A
Alik2014-05-28 16:40:33
How to build a secret "proxy" server? 3Reply
H
HoHsi2016-07-06 14:21:13
How to make a function call before session initialization in Linux? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question