How to capture invalid login attempts?

Doria 1,246 Reputation points
2020-11-16T17:30:43.51+00:00

Hi team!

What would be the best way to capture, at the workstation, what is the process that triggers invalid logon attempts against our file server? Procmon.exe? Audit?

40173-untitled.png

Hope I was clear enough.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,479 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,204 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Leon Laude 85,666 Reputation points
    2020-11-16T17:36:08.65+00:00

    Hi @Doria ,

    I would suggest enabling audit logging on your Domain Controllers (DCs), then you may capture failed logon attempts.
    How to Audit Successful Logon/Logoff and Failed Logons in Active Directory

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon

    0 comments
  2. Doria 1,246 Reputation points
    2020-11-16T19:42:37.747+00:00

    Thanks for your answer.

    I've done this! Now I need to find out WHAT is causing that on the workstation! What would be the best approach?

    Regards.

  3. Doria 1,246 Reputation points
    2020-11-16T19:44:07.53+00:00

    On time, I need to find out which command, or service, or program is causing the various attempts.

    0 comments
  4. Teemo Tang 11,351 Reputation points
    2020-11-17T03:04:43.043+00:00

    Try to install Process Monitor on the server and capture what's happening during Failed Login attempts. Detailed information here:
    DC causing multiple Failed Login Attempt Errors
    https://community.spiceworks.com/topic/2203205-dc-causing-multiple-failed-login-attempt-errors
    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  5. Doria 1,246 Reputation points
    2020-11-23T13:49:59.167+00:00

    Hi everyone!

    Well, I was finally able to find what causes, from a workstation, invalid login attempts to the file server. Using procmon and scheduling its execution through a scheduled task, I was able to discover that the logon failure occurs from a GPO that runs a batch script to map a user network drive. The strange thing is that the GPO is for the user, not the computer. Perhaps, the login attempt was made using the system account! Weird. How to understand this?

    41888-2.png
    41889-4.png
    41925-1.png
    41836-3.png

    0 comments