552 event - Success or Failure? Expand / Collapse
Posted 10/21/2010 5:03:33 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/21/2010 4:32:22 PM
Posts: 1, Visits: 0
So Microsoft describes a 552 event as "A user successfully logged on to a computer using explicit credentials while already logged on as a different user." This has become a point of contention with myself and a number of co-workers. To this point, many have been running with the assumption that 552 events always indicate a successful login. As recently observed, a 552 event was discovered on a machine using the credentials of an account that I have verified as being disabled for 2 years. This obviously caused me to raise my 552 Red Flag a little higher. The 552 was recorded on the host machine as having "successfully" run as this disabled account on the target machine. Target machine was analyzed with no evidence of any login from the host.

Is there a clear and concise indicator of a failed 552 attempt logged by Windows? Another event ID that I'm unaware of? I've checked for corresponding 576 events to indicate successful privilege escalation with no results.
Post #502
Posted 11/4/2010 5:47:05 AM


Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
What types/roles were the host and target computers?
Post #510
« Prev Topic | Next Topic »

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 12:20am