Have you found the bad process yet? I am watching my event viewer on the DC's right now waiting for the hit so I can then go into my Procmon and Netmon processes to find it on my machine.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Webster Sent: Tuesday, September 10, 2013 11:09 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] RE: Logon sniffing tool The built-in administrator account. Tens of thousands of 0x12 and 0x18 every day. I saved and cleared all the event logs at 7PM on Wednesday and when we showed up at 8AM Thursday there were already over 358,000 failed logon attempts! Thanks Webster From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Tuesday, September 10, 2013 10:02 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] RE: Logon sniffing tool Just Domain admins? From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Webster Sent: Tuesday, September 10, 2013 10:54 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: Logon sniffing tool I faced the same issue last week. We were unable to determine the cause of the mysterious attempts to lockout the domain admin administrator account. There were no services or scheduled tasks that used that account and even using "rundll32 keymgr.dll,KRShowKeyMgr" showed no cached credentials on any of the computers. The DC's security event logs are being flooded with 0x12 and 0x18 errors for eventids 675 and 680. I am interested in also seeing what the lists suggests for tracking this down. Thanks Webster From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of David McSpadden Sent: Tuesday, September 10, 2013 9:25 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] Logon sniffing tool My machine is trying and failing to log into the domain about every 6 minutes. What tool can I use to find the process, service, or program that is attempting to log in with a bad password? Windows 8 64 bit failing with a 2008 AD. Event id 675 code 0x18 Thank you David W. McSpadden Begin Planning Arrange for Reconnaissance and Coordination Make Reconnaissance Complete Plan Issue Order Supervise This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.