Educause Security Discussion mailing list archives

Re: Active Directory Lockout Log Tools

From: Kevin Kelly <kck () IAS EDU>
Date: Mon, 29 Oct 2018 13:11:11 -0400

Justin,

Assuming your have auditing enabled for your domain, you could setup atask to email you whenever Event ID 4625 is logged into your DC EventViewer. Here's a quick video that shows you how to do that withPowerShell and Task Scheduler.


https://www.youtube.com/watch?v=m-QaRyDksW0

A PowerShell script similar to the one below may also help you out:

PS C:\Users\blah> Get-WinEvent -Computer localhost -FilterHashTable@{LogName="Security"; ID=4625} -MaxEvents 1 | %{ foreach ($i in 0..20) { write-host $i, $_.Properties[$i].Value };$_.Message }


Property 19 should be the IP address.

- Kevin


On 10/29/18 11:38 AM, Justin Hensley wrote:

Hello All:
We have been encountering an increased occurrence of user accountsbeing locked due to our AD lockout policy. In the past, almost all ofthese issues have been due to a user having a bad password in one ofour university systems that kept attempting to autologin and causedthe lockout. However, we now believe that attackers are attempting tobrute force the password with a known username on some accounts. Would anyone have an suggestions on a quicker way to track thisactivity back to an IP than sorting through all the AD logs? Arethere any tools out there to help with this?
Thanks.

*Justin O. Hensley, CEH, CISSP*
University of the Cumberlands
Director of Information Security
Division of Information Services
Gatliff Administration Building | Lower Level | Room 008
104 Maple Street, Williamsburg, KY, 40769
606.539.4197 Office | 606.280.3114 Mobile | 606.539.4144 Fax
justin.hensley () ucumberlands edu <mailto:justin.hensley () ucumberlands edu>

www.ucumberlands.edu <http://www.ucumberlands.edu/>
CONFIDENTIALITY: This email (including any attachments) may containconfidential, proprietary and privileged information, and unauthorizeddisclosure or use is prohibited. If you received this email in error,please notify the sender and delete this email from your system. Thankyou.

Current thread:

Active Directory Lockout Log Tools Justin Hensley (Oct 29)
- Re: Active Directory Lockout Log Tools Taylor Randle (Oct 29)
  - Re: Active Directory Lockout Log Tools Davis, Chris (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Wilcox (Oct 29)
  - Re: Active Directory Lockout Log Tools Nicholas Garigliano (Oct 29)
- Re: Active Directory Lockout Log Tools Curtis, Bruce (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Kelly (Oct 29)
- Re: Active Directory Lockout Log Tools Childs, Aaron (Oct 29)
  - Re: Active Directory Lockout Log Tools Kevin Ledbetter (Oct 29)
- <Possible follow-ups>
- Re: Active Directory Lockout Log Tools Samih Ajrouch (Oct 30)