Mismatch in data from Azure EventHub Capture using Python consumer for AccountLogon Event 4776

Question

Hi,
I am using Python EventHubConsumerClient to retrieve AccountLogon data (Event 4776) from Azure EventHub Capture container.
But I am getting mismatch in data
Example:
'properties': {
'RecordId': 'AV6TU7DADHDRL4O-{54849625-5478-4994-A5BA-3E3B0328C30D}-17915203',
'EventData': {
'PackageName': 'MICROSOFT_AUTHENTICATION_PACKAGE_V1_0',
'TargetUserName': 'user@keyman .com',
'Workstation': 'vm000000',
'Status': '0x0'
}
}
As per the Event 4776, Source Workstation field shows the computer name and my VM does not have the name (vm000000)

So How I am getting different VM name in the workstation for the AccountLogon event?
What is this RecordId?

Answer

@Hrishikesh Tak
When looking at Event Log 4776 (credential validation), The Source Workstation is the VM/PC that you signed in with, and not the actual VM you're using. As you can see in my below examples:

I RDP'd to jatranVM001 with a VMSS (jatran-vm00000E). From the screenshot, you can see that the Source Workstation was the VMSS I used to connect with. While the Computer name is the actual VM I'm connecting to/working on (jatranVM001).
VMSS to jatranVM001

I tested this scenario multiple times just to confirm my findings:
Laptop to jatranVM001

jatranVM001 to jatranVM001

When it comes to the RecordID, I didn't see it within the Event logs themselves, as you can see in my screenshot it only shows "Event ID". However, I'd assume that it's the ID for the actual event log record.
-When you go the event logs themselves, are you able to see that RecordID?
You can get to the logs by: Connecting to your VM -> Right click Windows Logo -> Select Event Viewer -> Windows Logs -> Security -> Filter for Event 4776

Please let me know if you have any other questions regarding this issue.
Thank you for your time and patience!

4776(S, F): The computer attempted to validate the credentials for an account.

Answer

Hello HrishikeshTak-8848 ,

Just to understand the implemantion here , you are using the EventHubConsumerClient , my understanding is you are reading the events from an Eventhub . I understand there must a something which is reading the data and writing this to the EH and from thread I believe its the container . Can you please dump the data which you are writing to EH to a log file and see what is the Workstation name its capturing ?

I will be surprised if its other then vm000000 . The EH will not be updating any fields , may be the Workstation value is changed as you are using a container .

Please do let me how its goes .

Thanks & stay safe

Himanshu

Please do consider to click on "Accept Answer" and "Up-vote" on the post that helps you, as it can be beneficial to other community members

Answer

Actually the Event 4776 is not get generated on that VM because This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative, For local accounts, the local computer is authoritative.

When I logged-in using the Local account the event 4776 is generated on the local computer and in the event viewer I can see the proper name of the VM
EventData

PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName user
Workstation USER-VM-1
Status 0x0

But when I logged-in using domain user that event 4776 will get generated on domain controller (Azure AD DS) not on Local computer and I also looked using the Event Viewer on local VM, but it is not there and I don't know how to look that event in Azure AD DS.

EventHub show like this:
EventData': {'PackageName': 'MICROSOFT_AUTHENTICATION_PACKAGE_V1_0', 'TargetUserName': 'user@keyman .com', 'Workstation': 'vm000000', 'Status': '0x0'}

Share via

Mismatch in data from Azure EventHub Capture using Python consumer for AccountLogon Event 4776

3 answers