UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 552 - Logon attempt using explicit credentials

Event 552 not logged at all

vpapaefthymiou — Thu, 01 Dec 2011 04:35:36 GMT

Even though audit policies are enabled through domain GP, event 552 is not logged on any of the computers belonging to the domain, except for 1 member server on which audit policies have been enabled throgh Local Security Policy.

552 event - Success or Failure?

Retnuh — Thu, 21 Oct 2010 17:03:33 GMT

So Microsoft describes a 552 event as "A user successfully logged on to a computer using explicit credentials while already logged on as a different user." This has become a point of contention with myself and a number of co-workers. To this point, many have been running with the assumption that 552 events always indicate a successful login. As recently observed, a 552 event was discovered on a machine using the credentials of an account that I have verified as being disabled for 2 years. This obviously caused me to raise my 552 Red Flag a little higher. The 552 was recorded on the host machine as having "successfully" run as this disabled account on the target machine. Target machine was analyzed with no evidence of any login from the host.

Is there a clear and concise indicator of a failed 552 attempt logged by Windows? Another event ID that I'm unaware of? I've checked for corresponding 576 events to indicate successful privilege escalation with no results.

Target Server not always Local Host

Braino — Thu, 15 Apr 2010 19:41:57 GMT

I have seen this event where the target server is not LocalHost, but another server in another domain.

In analyzing, It appears if EventID 552 appears on one computer and the target was another computer, that I see a logon (528 or maybe 540 or 4624) on the Target Server's event log, with the target user name as the username of the 552 event, but the 528/540/4624 event does not seem to identify where the logon came from (i.e. the Name or IP address of the source computer, where the 552 eventid is logged), thus it's hard to correlate.

Has anyone else been looking these? it may show when explicit credentials are used but correlating appears difficult.

...But if target server is localhost, it looks like this event is redundant to 528.

Info in 552 duplicated in 528?

Braino — Thu, 15 Apr 2010 19:37:11 GMT

Hi Randy,

I'm analyzing this event right now - it appears to me that, especially if the target server name is "localhost", that anything else from this event already exists in a corresponding EventID 528. For example,

EventID 552 EventID 528

Logged On User: Username = Caller User Name

Logged on User: Domain = Caller Domain

Target User Name = User Name

Target Domain = Domain

Thoughts?

Why Enterprise Admin Rights

tnrdhdhllblly — Sun, 30 Aug 2009 22:13:57 GMT

Why would a domain user want to use explicit rights as the enterprise domain admin to logon? Please see example with confidential details changed.

Audit Success	1/28/2009	6:20:24 PM	552	Security	Logon/Logoff	\SYSTEM	COMPUTER
Logon attempt using explicit credentials: Logged on user: User Name: domain user Domain: domain Logon ID: (****) Logon GUID: {} User whose credentials were used: Target User Name: administrator Target Domain: DOMAIN Target Logon GUID: {***} Target Server Name: (null) Target Server Info: (null) Caller Process ID: (null) Source Network Address: (null) Source Port: (null) Caller Process Name: (null)