1 of 1 people found this helpful
Okay, so in an effort to not put the answer on a platter...
I have a test domain and I have some disabled accounts. I tried to mstsc from one server to another with a disabled account, and in LEM I see this:
Now, I have to admit that I'm not super familiar with this particular event, so I went to Randy Smith and asked what it meant. I got this page:
Now, if you look at the sample event, in the Extraneous Info field you can see a status code, "0x12" which I highlighted. According to Randy, that means that the client account is:
0x12 Clients credentials have been revoked Account disabled, expired, locked out, logon hours.
So, good news! You don't need a special AD group, because you can run the correlation off any account that is disabled, regardless of group membership!
Therefore, I'd say you'd want to start with a correlation for UserAuthTicket events (that's the event type that I got) and look in the ExtraneousInfo field for that 0x12 string, and maybe look for a ProviderSID of Microsoft-Windows-Security 4768.
Let me know if you want more than that to help you on your way!
Thank you so much for the reply. With your help I think I am almost there. The thing I have right now is that in the correlations it says (UserAuthTicket.ExtraneousInfo=”0x12”) I clicked on the “=” to try to change it to something like ‘contains’ but I only get equal and not equal. Do I use wildcards instead?
Arch Stockton | Group Leader - R&D
Information Systems Support Group | Division 10 Operations
Southwest Research Institute | 6220 Culebra Rd. San Antonio, TX 78238-5166
image001.jpg 3.1 KB
Correct, so I'd do *0x12* in the box, drop the quotes.
I am all set. I now receive an email when a disabled domain user account is used to try to login. Thank you for stepping me through it. I think I understand a lot of different aspects of the rule building process.