Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to search and identify multiple logons to a Windows workstation?

taylormimission
New Member
‎01-28-2015 08:10 PM

Hi all,

We are looking for a way to identify when users share their passwords. For example, userA has elevated privileges within an application that uses Windows authentication. UserA gives her password to userB, who uses it to log on to Windows, accesses the application and performs a task that she wouldn't normally have access to.

We're thinking to search for multiple logons to a Windows workstation on any day. Any thoughts on how to do this, or otherwise get the required info?

0 Karma
Reply

mtranchita
Communicator
‎01-30-2015 06:11 AM

This isn't going to answer the precise question you asked but I think you can get what you are looking for.
Based on information in the NSA's Spotting the Adversary with Windows Event Log Monitoring document I came up with the search below to show all logon activity. If you have a lookup or some other way to associate the logon id with the computer name you could pipe it to where and identify when someone is using a logon on a computer that they "shouldn't".
Note that you'll need to modify it for your environment and I have the time range as part of the query. I'm sure the search could be improved too.
Hope this helps.

index=your.windows.event.log.index earliest=-d@d latest=@d  (EventCode=4624 OR EventCode=4648 OR EventCode=4625) (Logon_Type=3 OR Logon_Type=2 OR Logon_Type=7 OR Logon_Type=11)  Account_Name!="ANONYMOUS LOGON" | eval LogonAction=case(Logon_Type=2, "Interactive Logon", Logon_Type=3, "Network Logon", Logon_Type=7, "Unlock", Logon_Type=11, "CachedInteractive") | search Account_Name!=- | rex field=Account_Name "(?i)(?P(.*[^\$]$))" | table UserName Security_ID LogonAction Keywords ComputerName _time Logon_Process Process_Name Caller_Process_Name| mvexpand Security_ID | search Security_ID!="NT AUTHORITY\\SYSTEM"
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...