Educause Security Discussion mailing list archives
Re: Active Directory Lockout Log Tools
From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Mon, 29 Oct 2018 12:45:36 -0400
If you don't have centralized logging or a SIEM (great things to have but they can come with significant capital and administrative costs) you can do a fairly simple Powershell script to find the lockout events. Here is an example: https://blogs.technet.microsoft.com/heyscriptingguy/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user/ Nick Garigliano CISSP, GCIH, CCNA Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Mon, Oct 29, 2018 at 12:25 PM Kevin Wilcox <wilcoxkm () appstate edu> wrote:
On Mon, 29 Oct 2018 at 11:48, Justin Hensley <justin.hensley () ucumberlands edu> wrote:We have been encountering an increased occurrence of user accounts beinglocked due to our AD lockout policy. In the past, almost all of these issues have been due to a user having a bad password in one of our university systems that kept attempting to autologin and caused the lockout. However, we now believe that attackers are attempting to brute force the password with a known username on some accounts. Would anyone have an suggestions on a quicker way to track this activity back to an IP than sorting through all the AD logs? Are there any tools out there to help with this? Justin - this is where I really love log agg and visualisation. This is also 100% in the SIEM realm Elastic/Splunk/LogRhythm/QRadar/pick-your-agg-tech all have dashboard functions. A good dashboard will have: o the locked accounts o when they happened o which system cut the log o the raw logs themselves o which system caused the lockout o where to find the system that caused the lockout I'm happy to share off-list an example from the dashboard that we use for some AD lockouts. If you're interested in standing up a VM just to demo Elastic with Windows logs, I'm happy to help there as well. Hmm is the CFP for SPC going on? :) kmw
Current thread:
- Active Directory Lockout Log Tools Justin Hensley (Oct 29)
- Re: Active Directory Lockout Log Tools Taylor Randle (Oct 29)
- Re: Active Directory Lockout Log Tools Davis, Chris (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Wilcox (Oct 29)
- Re: Active Directory Lockout Log Tools Nicholas Garigliano (Oct 29)
- Re: Active Directory Lockout Log Tools Curtis, Bruce (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Kelly (Oct 29)
- Re: Active Directory Lockout Log Tools Childs, Aaron (Oct 29)
- Re: Active Directory Lockout Log Tools Kevin Ledbetter (Oct 29)
- <Possible follow-ups>
- Re: Active Directory Lockout Log Tools Samih Ajrouch (Oct 30)
- Re: Active Directory Lockout Log Tools Taylor Randle (Oct 29)