Apr 20 2022 08:58 AM
I would like to trigger the task only if the login attempt is against a disabled account. This includes the Result Code 0x12. How can I add this to the trigger? Any help would be much appreciated. Thanks.
Here is the event.
Here is the event details XML View:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4768</EventID> <Version>0</Version> <Level>0</Level> <Task>14339</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2022-04-19T16:40:04.842900000Z" /> <EventRecordID>562602120</EventRecordID> <Correlation /> <Execution ProcessID="528" ThreadID="106016" /> <Channel>Security</Channel> <Computer>XXXXXXXXXX</Computer> <Security /> </System> - <EventData> <Data Name="TargetUserName">XXXXXXXX</Data> <Data Name="TargetDomainName">XXXXXXX</Data> <Data Name="TargetSid">S-1-0-0</Data> <Data Name="ServiceName">krbtgt/mie</Data> <Data Name="ServiceSid">S-1-0-0</Data> <Data Name="TicketOptions">0x40810010</Data> <Data Name="Status">0x12</Data> <Data Name="TicketEncryptionType">0xffffffff</Data> <Data Name="PreAuthType">-</Data> <Data Name="IpAddress">::ffff:192.168.240.79</Data> <Data Name="IpPort">50126</Data> <Data Name="CertIssuerName" /> <Data Name="CertSerialNumber" /> <Data Name="CertThumbprint" /> </EventData> </Event>
Here is a task trigger that includes everything but the result code:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[band(Keywords,4503599627370496) and (EventID=4768)]]</Select> </Query> </QueryList>
Not sure where to put the Result Code 0x12
<Data Name="Status">0x12</Data>