Re: Active Directory Lockout Log Tools

[Nicholas Garigliano <ngarigl8 () NAZ EDU>]

If you don't have centralized logging or a SIEM (great things to have but
they can come with significant capital and administrative costs) you can do
a fairly simple Powershell script to find the lockout events.  Here is an
example:

https://blogs.technet.microsoft.com/heyscriptingguy/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user/


Nick Garigliano CISSP, GCIH, CCNA
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109


On Mon, Oct 29, 2018 at 12:25 PM Kevin Wilcox <wilcoxkm () appstate edu> wrote:

> On Mon, 29 Oct 2018 at 11:48, Justin Hensley
> <justin.hensley () ucumberlands edu> wrote:
>
> > We have been encountering an increased occurrence of user accounts being
> locked due to our AD lockout policy.  In the past, almost all of these
> issues have been due to a user having a bad password in one of our
> university systems that kept attempting to autologin and caused the
> lockout.  However, we now believe that attackers are attempting to brute
> force the password with a known username on some accounts.  Would anyone
> have an suggestions on a quicker way to track this activity back to an IP
> than sorting through all the AD logs?  Are there any tools out there to
> help with this?
>
> Justin - this is where I really love log agg and visualisation. This
> is also 100% in the SIEM realm
>
> Elastic/Splunk/LogRhythm/QRadar/pick-your-agg-tech all have dashboard
> functions. A good dashboard will have:
>
> o the locked accounts
> o when they happened
> o which system cut the log
> o the raw logs themselves
> o which system caused the lockout
> o where to find the system that caused the lockout
>
> I'm happy to share off-list an example from the dashboard that we use
> for some AD lockouts. If you're interested in standing up a VM just to
> demo Elastic with Windows logs, I'm happy to help there as well.
>
> Hmm is the CFP for SPC going on? :)
>
> kmw