Is 4776 necessary for auditing NTLM events Expand / Collapse
Author
Message
Posted 8/12/2015 4:01:04 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/12/2015 3:55:10 PM
Posts: 1, Visits: 0
I use ManageEngine's ADAudit Plus to audit my AD environment, including logon tracking. I've recently found that this tool completely ignores event 4776. I recently had an account lock out and the tool did not show any bad passwords, but manually scouring the DCs show 4776 events with error code 0xc000006a which means bad password.

When asking ManageEngine why this event is not logged, they mention it's not necessary for tracking account lockouts and because it is so chatty they exclude it. I don't understand this.

Based on the page on this site regarding 4776, this event captures all NTLM based logon events. Shouldn't any auditing tool be properly capturing these events for reporting? Or am I misunderstanding the use of 4776? I can't find anything outside of this site which talks about this event in detail (not even on MS's site).
Post #4672
Posted 8/23/2015 7:59:13 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
I had this same exact situation occur 4 years ago with a SIEM. 50 accounts were locked out and this event wasn't classified as any type of logon or authentication event. Shortly after the SIEM started classifying it as an authentication event. This is important since it may be the only indicator of authentication failures.
Post #4833
Posted 8/25/2015 1:59:10 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/5/2010 4:18:05 AM
Posts: 6, Visits: 0
The problem here is 4776 would only help you identify the computer from which the logon failures originate but not the process from which they originated. To find this you have to track the 4625 local logon event, which again might contain the process which was responsible for the logon failure event. Sometimes this event does not log the process properly if the failures are from network logon especially.

To troubleshoot this Microsoft came with the "Account Lockout Tools" : https://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx

These tools analyze the Mapped network drives, Schedule tasks, Services, etc to find the account and process responsible for generating the logon failure. But to find out whether a thirdparty application is responsible for the failure "Alockout.dll" can be used, the tool attaches itself to a variety of function calls that a process might use for authentication and log them in a Alockout.txt file. It has to be installed in the computer which is generating the logon failures and a reg file need to be run.

But unfortunately this "Alockout.dll" support for 2008 and above is questionable.

Just my 2 cents, if you are not already aware of this.
Post #4840
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:51am