Hi.
I was wondering if someone could help me better understand the following alert.
I have an alert that a user has accessed a restricted machine.In the logs I have the following information: “service”: “c:\windows\system32\lsass.exe”, “eventCode”: 4648 and at the same time I have another log with the following information: “logon_type”: “NETWORK”, “result”: “SUCCESS”, “service”: “advapi”, “eventCode”: 4624.
After this alert I confirmed with the user and he did not try to access and has no access to this machine. Could someone help to better understand this alert.
So the first log with the 4648 event code could either be someone on that asset running a program with “run as” and inputting different credentials or a process kicks off a scheduled task connecting to another machine under different credentials. Depending on what the destination server is and its function could be a file share, Sharepoint server, etc. But this alert fired off because the destination asset was added to the restricted asset list in IDR.
The 4624 event code log, from what you posted, appears to be the advapi server performing a successful type 3 (network) authentication to an asset that is also added to the restricted asset list. The advapi service is normally associated with iis or other web-type applications, so I would look for stored credentials. From what you wrote these could happen very easily without the user’s knowledge depending on the setup or configuration of your endpoints.