Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search and identify multiple logons to a Windows workstation?

taylormimission
New Member
‎01-28-2015 08:10 PM

Hi all,

We are looking for a way to identify when users share their passwords. For example, userA has elevated privileges within an application that uses Windows authentication. UserA gives her password to userB, who uses it to log on to Windows, accesses the application and performs a task that she wouldn't normally have access to.

We're thinking to search for multiple logons to a Windows workstation on any day. Any thoughts on how to do this, or otherwise get the required info?

0 Karma
Reply

mtranchita
Communicator
‎01-30-2015 06:11 AM

This isn't going to answer the precise question you asked but I think you can get what you are looking for.
Based on information in the NSA's Spotting the Adversary with Windows Event Log Monitoring document I came up with the search below to show all logon activity. If you have a lookup or some other way to associate the logon id with the computer name you could pipe it to where and identify when someone is using a logon on a computer that they "shouldn't".
Note that you'll need to modify it for your environment and I have the time range as part of the query. I'm sure the search could be improved too.
Hope this helps.

index=your.windows.event.log.index earliest=-d@d latest=@d  (EventCode=4624 OR EventCode=4648 OR EventCode=4625) (Logon_Type=3 OR Logon_Type=2 OR Logon_Type=7 OR Logon_Type=11)  Account_Name!="ANONYMOUS LOGON" | eval LogonAction=case(Logon_Type=2, "Interactive Logon", Logon_Type=3, "Network Logon", Logon_Type=7, "Unlock", Logon_Type=11, "CachedInteractive") | search Account_Name!=- | rex field=Account_Name "(?i)(?P(.*[^\$]$))" | table UserName Security_ID LogonAction Keywords ComputerName _time Logon_Process Process_Name Caller_Process_Name| mvexpand Security_ID | search Security_ID!="NT AUTHORITY\\SYSTEM"
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...