Re: Event Log messages for failed logon attempts

From: Rob McShinsky (Rob_at_McShinsky.com)
Date: 11/05/03

Next message: Laura A. Robinson: "RE: IIS 6 features"

Previous message: Damon McMahon: "Re: ICF Firewall - How can I do it?"
In reply to: Brad Judy: "RE: Event Log messages for failed logon attempts"
Next in thread: Free, Bob: "RE: Event Log messages for failed logon attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <FOCUS-MS@securityfocus.com>
Date: Wed, 5 Nov 2003 10:08:35 -0500

Have you looked at the resource kit utility EVENTCOMB. It has this
functionality as a built in scan. The only difference would be to give it
some extra criteria to look for NTLM or Kerberos in the event text. The info
can be output to CSV, TXT, an Access DB or SQL Server. I believe the
current version is version 9.0.

Rob McShinsky

----- Original Message -----
From: "Brad Judy" <judy@colorado.edu>
To: "'Sean Warnock'" <swarnock@warnocksolutions.com>;
<FOCUS-MS@securityfocus.com>
Sent: Tuesday, November 04, 2003 1:11 PM
Subject: RE: Event Log messages for failed logon attempts

> It sounds like you're trying to write something like this:
> http://pantheon.yale.edu/~kjh27/logger.html
>
> The author may be willing to distribute it beyond other EDUs if you ask.
>
> Brad Judy
>
> Information Technology Services
> University of Colorado at Boulder
>
> > -----Original Message-----
> > From: Sean Warnock [mailto:swarnock@warnocksolutions.com]
> > Sent: Saturday, October 25, 2003 8:59 AM
> > To: FOCUS-MS@securityfocus.com
> > Subject: Event Log messages for failed logon attempts
> >
> > I am currently working on a small script that will
> > parse the event logs of a Windows NT/2000/2003 domain
> > controller looking for failed logon attempts. I am currently
> > aware of event log message 529.
> > I believe that I have been able to generate several other
> > error messages for failed logon attempts depending upon what
> > a client is using to authenticate with (ex. Kerberos, NTLM,
> > etc...). Does anyone have any other input or articles that
> > they would suggest as the only KB article that I have found
> > so far was 299475.
> >
> > Sean
> >
> > --------------------------------------------------------------
> > -------------
> > FREE Whitepaper: Better Management for Network Security
> >
> > Looking for a better way to manage your IP security?
> > Learn how Solsoft can help you:
> > - Ensure robust IP security through policy-based management
> > - Make firewall, VPN, and NAT rules interoperable across
> > heterogeneous networks
> > - Quickly respond to network events from a central console
> >
> > Download our FREE whitepaper at:
> > http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
> > --------------------------------------------------------------
> > -------------
> >
> >
>
>
> --------------------------------------------------------------------------
-
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
> and use priority code SF4.
> --------------------------------------------------------------------------
-
>
>

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------

Next message: Laura A. Robinson: "RE: IIS 6 features"

Previous message: Damon McMahon: "Re: ICF Firewall - How can I do it?"
In reply to: Brad Judy: "RE: Event Log messages for failed logon attempts"
Next in thread: Free, Bob: "RE: Event Log messages for failed logon attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: CEH and Intense School
... > You want more than 4 to know the bugs are ironed out in labs and so on. ... > Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Pen-Test)
RE: strange ftp site
... Here are some quick prelim results of running strings against the exe file. ... A security error of unknown cause has been detected which has ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Incidents)
RE: Cisco CTR
... hacker's program is, the state of the network, etc. I'd like to see the ... If this type of attack can succeed as I think it could, ... > Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Focus-IDS)
Re: Cisco CTR
... >> the network and allow those patch levels to be updated only ... >> hacker's program is, the state of the network, etc. I'd like to ... >> security, ... most highly-anticipated industry event of the year. ...
(Focus-IDS)
RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?
... the DoS routine grabs the Class B network off the machine ... > Security Business Unit ... most highly-anticipated industry event of the year. ...
(Incidents)