Very informative site. 0x18 maps to account disabled, expired or locked out. So some service on your workstation is trying to login using a domain account that is not available. To see what services are running and what creds they are using go to Services and export the list under the Action menu. I recommend CSV. Drag it into Excel and sort on the appropriate column. That will narrow down the ones to be examined. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675
From: J- P Sent: Tuesday, September 10, 2013 9:30 AM To: [email protected] Subject: RE: [NTSysADM] Logon sniffing tool You can use NETMON and specify the the ip address of your logon server as the filter, should'nt take more thatn 6 minutes to find :) Jean-Paul Natola -------------------------------------------------------------------------------- Subject: [NTSysADM] Logon sniffing tool Date: Tue, 10 Sep 2013 10:24:42 -0400 From: [email protected] To: [email protected] My machine is trying and failing to log into the domain about every 6 minutes. What tool can I use to find the process, service, or program that is attempting to log in with a bad password? Windows 8 64 bit failing with a 2008 AD. Event id 675 code 0x18 Thank you David W. McSpadden Begin Planning Arrange for Reconnaissance and Coordination Make Reconnaissance Complete Plan Issue Order Supervise This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
