Event Id | 680 |
Source | Security |
Description | 'Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: %user name% Source Workstation: %computer name% Error Code: 0x0' |
Event Information | According to Microsoft: Cause 1: A program or service attempted to start with the logon credentials specified in the message, which do not match the credentials of the current user. This message is logged for informational purposes only. Resolution: No user action is required. CAUSE 2: Windows XP attempts a limited logon for each account that is displayed on the Welcome screen to determine whether to prompt the user for a password. An attempted logon is logged for each account displayed. Resolution: To prevent these events from being logged, disable the Welcome screen and use the classic logon screen or turn off auditing of logon events. To turn off auditing in the Microsoft Management Console (MMC) snap-in for Group Policy: 1. Click Start, click Run, type gpedit.msc, and then click OK. 2. In the left pane, expand the following items: • Local Computer Policy • Computer Configuration • Windows Settings • Security Settings • Local Policy 3. Click Audit Policy. 4. Double-click Audit Logon Events. 5. Click to clear the Success and Failure check boxes. 6. Click OK. 7. Close the Group Policy window. CAUSE 3: When a user logs off, Windows XP re-reads the user record for updated information to optimize the next logon process. However, Windows ignores the fact that the user is from the local SAM database and instead tries to contact the domain (if the computer is a member of a domain). RESOLUTION: To resolve this problem, obtain the latest service pack for Microsoft Windows XP. |
Reference Links | Failure Events Are Logged When the Welcome Screen Is Enabled How To Use the Fast User Switching Feature in Windows XP Windows 2000 Security Event Descriptions List of fixes included in Windows XP Service Pack 2 Windows Operating System (Security) Security Event Descriptions Audit Account Logon Events |
In the past couple of weeks, I've seen a brute force attack show its tracks on a DC. Looks like a dictionary attack with an Event ID 680 created in the Security event log every 18-20 minutes (example below). My question is, how can I find out what service/port the attacker is trying these credentials and from what IP address? Thanks in advance.
Monitor unlimited number of servers
Filter log events
Create email and web-based reports
Filter log events
Create email and web-based reports
EventID 680 - Logon attempt by:%1 Win 2003 / XP A set of credentials was passed to the authentication system on this computer either by a local process or by a remote process or user. Success or failure is displayed in the message. Windows XP Home Event Id 680, Failure Audit. DVanTassel asked on 2003-06-11. OS Security; 24 Comments. Last Modified: 2013-12-04. Greetings, I have been observing unusual traffic on my Exchange 2003 server in the form of failed logon attempts resulting in event id 680 log entries. The logons are being attempted by various non-existent accounts, 'postmaster, administrator, admin, etc @domain.com '.
Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content
Customized keywords for major search engines
Access to premium content
Security
Success Audit
Account Used for Logon by: <authentication package>
Account Name:
<user name>
Workstation:
<computer name>
Account Name:
<user name>
Workstation:
<computer name>
Security
Event Id 6806 Dfsr
Failure Audit
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: <account>
Source Workstation: <workstation>
Error Code: <error code>.
Logon account: <account>
Source Workstation: <workstation>
Error Code: <error code>.
Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
Event Id 680 Error Code 0xc000006a
Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.