Tracking “Admin” Logon Failures Down to the IP Address

Privileged access attacks are at an all-time high. In many cases, the attacks are not successful on the first attempt. The attacker tries to logon with one or more credentials, often many times for each account with failure before success. So, when it comes to tracking failed “admin” logon attempts, you could find and deny an attack before the attack is successful! Trying to track down failed attempts for many user accounts can be a tedious task. Even if you know the names of the user accounts that have admin privileges, trying to search through the logs of each domain controller can be taxing, if not nearly impossible. Consider the following issues if you want to try and manually track failed logons by admin accounts using the security logs on each domain controller:
  • Each DC contains a unique security log, which is not replicated
  • Most security logs are set to “overwrite events as needed,” which can delete an event before it can be found
  • The security log has a limit on size, so depending on the size of each log, the failed logon could be overwritten
  • You can archive security logs, but in order to search them, you will need to manually insert them into Event Viewer or some other tool
  • Alerts can be set up for failed logons; however, Microsoft's alerting does not get granular enough for you to specify only the accounts with admin credentials
  • PowerShell can be used to search the security logs for specific events and details, but only if the log has not been archived
As you can see, obtaining a list of the accounts that have failed logons can be difficult. I have not even addressed the need to get down to the IP address level. Instead of fighting with Event Viewer, security log searching, and PowerShell, why not use a tool that allows you to see a report of the “admin” failed logons and the IP address with just a click! If you want to setup an alert for just the “admin” account failed logons, you can do that with another click or two as well. The tool of choice is ADAudit Plus by ManageEngine. You can look at the “Logon Failures based on users” report, which provides you a summary of all logon failures per user. Then, you simply select the user you are looking for, which gives you the output shown in Figure 1, which includes the IP address.logon failures to ipaddressFigure 1. Logon failure report including IP address.
Detect privilege access attacks by tracking all logon failures with ADAudit Plus. Learn how, | Download free trial.
If you have a need to track all admin privileged accounts, you could create a custom report quickly and even associate an alert to any user on the custom report that fails to logon.