how to find account login source?

logon
failure
activedirectory
retag add tags

hello. just starting with wireshark. i have run the capture for 15 minutes and in that time period, the AD account i'm tracking got an invalid login attempt. in the amount of data captured, how does one find this invalid login attempt?

as a backgroud, i was using Netwrix Account Lockout Examiner and although it can point me to the source of the invalid login attempt IF a workstation name is present, there are times it would show that the offending workstation name is MSTSC which doesn't make sense.

so i got wireshark to find out where this MSTSC is coming from.

appreciate any help.

badbanana

asked 2019-03-10 10:01:59 +0000

edit flag offensive 0 remove flag close merge delete

Comments

MSTSC is the name of the Windows executable for Remote Desktop Protocol (RDP), so it seems likely that these auth failures are RDP connection attempts.

grahamb (2019-03-10 18:59:55 +0000) edit

so how to find that information in wireshark captured data?

badbanana (2019-03-11 07:35:00 +0000) edit

add a comment see more comments

Be the first one to answer this question!

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

how to find account login source? edit

Comments

Be the first one to answer this question!

how to find account login source?