Windows Server 2012 R2 – 帮助查找失败的login尝试源

我正在寻求帮助解决这个问题，我在我们的AD域控制器中有很多安全事件被logging，因为（先前的）域用户login失败并被删除。 我试图指出这些尝试的起源，但迄今为止不成功。 最大的挑战之一是，尝试的起源似乎来​​自域控制器本身，并由svchost.exe触发（这并没有真正的帮助）。 在某个时候，这个用户是一个pipe理员帐户，如果这是相关的问题。

我到目前为止所尝试的：

• 查询计划任务以查看是否有用户被该用户名称调用，但没有find与用户名或事件时间相关的任何信息： schtasks /query /v /fo csv > sched_tasks.csv

• 使用ProcMon试图找出ProcMonlogging的事件和进程的行为之间的任何共同性，但是这certificate是困难的和不成熟的。

  • 端口需要join到域抛Powershell
  • Server 2012 r2域中不同子网中的计算机/设备的DNS优先级
  • 如何将设置从Win2k服务器迁移到Windows Server 2008 R2？
  • 将Vista / Win7客户端连接到SBS2011 AD
  • Windows 7login提示符显示缩写域名“PHOENIX”（域名是：phoenix.domain.com）

• 在registry中search该用户名，但没有发现任何兴趣。

我不知道我有什么其他选项，试图find这些失败的login尝试的根。 看事件本身并没有给我什么特别的线索，时间对我也没有意义。 有时我连续尝试3次，每次间隔10秒或20秒，其他时间会持续30分钟，1小时，5小时等，而不logging任何来自这个特定用户名的信息。

我将分享这个用户触发的最常见事件中的4个，但是我会注意到与Kerberos身份validation服务相关的第4个事件并不常见。 通常我会得到前3（login，凭证validation，login）。 这些事件具有相同的日志logging时间，但是如果事件查看器是正确的，那么底部事件比它上面的更早（按顺序）。

 Keywords: Audit Failure Date and Time: 19/07/2017 16:18:39 Event ID: 4768 Task Category: Kerberos Authentication Service A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: deleteduser Supplied Realm Name: CONTOSO User ID: NULL SID Service Information: Service Name: krbtgt/CONTOSO Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xFFFFFFFF Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 

_

 Keywords: Audit Failure Date and Time: 19/07/2017 16:18:39 Event ID: 4625 Task Category: Logon An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: deleteduser Account Domain: CONTOSO Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: SRV01 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 

_

 Keywords: Audit Failure Date and Time: 19/07/2017 16:18:39 Event ID: 4776 Task Category: Credential Validation The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: deleteduser Source Workstation: SRV01 Error Code: 0xC0000064 

_

 Keywords: Audit Success Date and Time: 19/07/2017 16:18:39 Event ID: 4648 Task Category: Logon A logon was attempted using explicit credentials. Subject: Security ID: NETWORK SERVICE Account Name: SRV01$ Account Domain: CONTOSO Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: deleteduser Account Domain: CONTOSO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: srv01.CONTOSO.local Additional Information: srv01.CONTOSO.local Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 

_

预先感谢您的帮助。

祝你今天愉快！

关键字：审计成功
date和时间：19/07/2017 16:18:39
事件ID：4648
任务类别：login

尝试使用显式凭据进行login。

学科：
    安全ID：networking服务
    帐户名称：SRV01 $
    帐户域名：CONTOSO
    loginID：0x3E4
    loginGUID：{00000000-0000-0000-0000-000000000000}

已使用凭证的帐户：
    帐户名称：已删除的用户
    帐户域名：CONTOSO
    loginGUID：{00000000-0000-0000-0000-000000000000}

目标服务器：
    目标服务器名称：srv01.CONTOSO.local
    附加信息：srv01.CONTOSO.local

处理信息：
     进程ID：0x2b8
    进程名称：C：\ Windows \ System32 \ svchost.exe

networking信息：
    networking地址： -
    港口： -

当进程尝试通过显式指定该帐户的凭据login帐户时，会生成此事件。 这通常发生在批处理configuration中，例如计划任务，或者使用RUNAS命令。