|
|
Forum Newbie
      
Group: Forum Members
Last Login: 7/13/2016 1:48:11 PM
Posts: 1,
Visits: 0
|
|
By the IP address I know the computer its happening on but have no clue what the next step is. There is not info on which process other than a PID thats not in Tasklist when I run it.
Any help would be appreciated.
> Get-WinEvent -FilterHashtable @{LogName = 'Security';data='michael.blower';keywords='4503599
27370496'} | select -First 1 -Property *
Message : Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower
Service Information:
Service Name: krbtgt/xxxxxxxxx
Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52766
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557551219
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 10784
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:49:38 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}
> Get-WinEvent -FilterHashtable @{LogName = 'Security';data='michael.blower';keywords='4503599
27370496'} | select -First 5 -Property *
Message : Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower
Service Information:
Service Name: krbtgt/xxxxxxxx
Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52766
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557551219
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 10784
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:49:38 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}
Message : Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower
Service Information:
Service Name: krbtgt/xxxxxx
Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52504
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550267
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 6984
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:43 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}
Message : Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower
Service Information:
Service Name: krbtgt/xxxxxx
Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52500
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550255
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}
Message : Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower
Service Information:
Service Name: krbtgt/xxxxxxx
Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52498
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550254
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId :
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}
Message : Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower
Service Information:
Service Name: krbtgt/xxxxxxx
Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52496
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550253
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}
|
|
|
|
Junior Member
      
Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 23,
Visits: 0
|
|
So the 0x18 most likely means a bad password. When you open taskman and click on the Servicecs tab you do not see a PID of 792, correct?
|
|
|
|