我正在寻求帮助解决 AD 域控制器中存在的这个问题,由于被禁用并随后被删除的(前)域用户的登录尝试失败,导致记录了大量安全事件。我试图找出这些尝试的来源,但目前尚未成功。最大的挑战之一是,这些尝试的来源似乎来自域控制器本身,并由 svchost.exe 触发(这并没有真正起到帮助作用)。如果与此事有关,那么这个用户在某个时候是一个管理员帐户。
到目前为止我已经尝试过:
查询计划任务以查看是否有任何任务被该用户名调用,但没有找到与用户名或事件时间相关的任何内容:
schtasks /query /v /fo csv > sched_tasks.csv使用 ProcMon 尝试找出事件与 ProcMon 记录的进程操作之间的共同点,但这被证明是费力且徒劳的。
在注册表中搜索该用户名,但没有找到任何感兴趣的内容。
我不确定我还有什么其他选择,可以尝试找出这些登录尝试失败的根源。查看事件本身并没有给我任何特别的线索,时间对我来说也没有意义。有时我会连续尝试 3 次,每次间隔 10 或 20 秒,有时则会持续 30 分钟、1 小时、5 小时等,而不会记录来自该特定用户名的任何内容。
我将分享此用户触发的 4 个最常见事件,但我要指出的是,与 Kerberos 身份验证服务相关的第 4 个事件并不常见。通常我只会获取前 3 个(登录、凭据验证、登录)。这些事件的记录时间相同,但如果事件查看器正确,则底部事件(按顺序)比其上方事件更早。
Keywords: Audit Failure
Date and Time: 19/07/2017 16:18:39
Event ID: 4768
Task Category: Kerberos Authentication Service
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: deleteduser
Supplied Realm Name: CONTOSO
User ID: NULL SID
Service Information:
Service Name: krbtgt/CONTOSO
Service ID: NULL SID
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
_
Keywords: Audit Failure
Date and Time: 19/07/2017 16:18:39
Event ID: 4625
Task Category: Logon
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: deleteduser
Account Domain: CONTOSO
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: SRV01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
_
Keywords: Audit Failure
Date and Time: 19/07/2017 16:18:39
Event ID: 4776
Task Category: Credential Validation
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: deleteduser
Source Workstation: SRV01
Error Code: 0xC0000064
_
Keywords: Audit Success
Date and Time: 19/07/2017 16:18:39
Event ID: 4648
Task Category: Logon
A logon was attempted using explicit credentials.
Subject:
Security ID: NETWORK SERVICE
Account Name: SRV01$
Account Domain: CONTOSO
Logon ID: 0x3E4
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: deleteduser
Account Domain: CONTOSO
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: srv01.CONTOSO.local
Additional Information: srv01.CONTOSO.local
Process Information:
Process ID: 0x2b8
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
_
预先感谢您的帮助。
祝你今天过得愉快!
答案1
我找到了这些事件的根源,令我惊讶的是,我花了这么长时间才发现几天前我已经接近它了。
我又开始仔细查看日志,分析每一行信息以寻找线索。我之前追踪过的一条线索可以在第一个记录的事件(上面列表中的最后一个)中找到,即事件 ID 4648:
关键词:审计成功
日期和时间:2017 年 7 月 19 日 16:18:39
事件 ID:4648
任务类别:登录
尝试使用显式凭据登录。
主题:
安全 ID:网络服务
账户名称:SRV01$
帐户域: CONTOSO
登录 ID:0x3E4
登录 GUID: {00000000-0000-0000-0000-000000000000}
凭证被使用的帐户:
帐户名称:deleteduser
帐户域: CONTOSO
登录 GUID: {00000000-0000-0000-0000-000000000000}
目标服务器:
目标服务器名称:srv01.CONTOSO.local
其他信息:srv01.CONTOSO.local
处理信息:
进程 ID:0x2b8
进程名称:C:\Windows\System32\svchost.exe
网络信息:
网络地址: -
港口: -
当进程尝试通过明确指定帐户的凭据来登录帐户时,会生成此事件。这种情况最常发生在批处理类型的配置(例如计划任务)中,或者在使用 RUNAS 命令时。
请注意加粗部分“进程 ID:0x2b8“
这相当于十进制格式的 696。因此,我打开任务管理器,找到使用该 PID 运行的进程,右键单击它并选择前往服务就像几天前的情况一样,它指出DHCP服务器与许多其他服务一样,该服务由进程管理器过程。
我打开了 DHCP 管理单元,但这次我花了一些时间查看了每个选项,最终找到了罪魁祸首:IPv4/IPv6 - DNS 动态更新注册凭据(IPv4/IPv6 属性 > 高级 > 凭证)。逃避用户的凭据保存在那里。我为该角色单独创建了一个新用户,并使用新凭据替换已删除的用户,然后重新启动DHCP 服务器服务。到目前为止都很好。