Splunk Search
Highlighted

How to search and identify multiple logons to a Windows workstation?

New Member

Hi all,

We are looking for a way to identify when users share their passwords. For example, userA has elevated privileges within an application that uses Windows authentication. UserA gives her password to userB, who uses it to log on to Windows, accesses the application and performs a task that she wouldn't normally have access to.

We're thinking to search for multiple logons to a Windows workstation on any day. Any thoughts on how to do this, or otherwise get the required info?

0 Karma
Highlighted

Re: How to search and identify multiple logons to a Windows workstation?

Communicator

This isn't going to answer the precise question you asked but I think you can get what you are looking for.
Based on information in the NSA's Spotting the Adversary with Windows Event Log Monitoring document I came up with the search below to show all logon activity. If you have a lookup or some other way to associate the logon id with the computer name you could pipe it to where and identify when someone is using a logon on a computer that they "shouldn't".
Note that you'll need to modify it for your environment and I have the time range as part of the query. I'm sure the search could be improved too.
Hope this helps.

index=your.windows.event.log.index earliest=-d@d latest=@d  (EventCode=4624 OR EventCode=4648 OR EventCode=4625) (Logon_Type=3 OR Logon_Type=2 OR Logon_Type=7 OR Logon_Type=11)  Account_Name!="ANONYMOUS LOGON" | eval LogonAction=case(Logon_Type=2, "Interactive Logon", Logon_Type=3, "Network Logon", Logon_Type=7, "Unlock", Logon_Type=11, "CachedInteractive") | search Account_Name!=- | rex field=Account_Name "(?i)(?P(.*[^\$]$))" | table UserName Security_ID LogonAction Keywords ComputerName _time Logon_Process Process_Name Caller_Process_Name| mvexpand Security_ID | search Security_ID!="NT AUTHORITY\\SYSTEM"