Free Preparation Discussions
MENU
Eccouncil Exam 212-82 Topic 17 Question 32 Discussion
Topic #: 17
The SOC department in a multinational organization has collected logs of a security event as
"Windows.events.evtx". Study the Audit Failure logs in the event log file located in the Documents folder of the
-Attacker Maehine-1" and determine the IP address of the attacker. (Note: The event ID of Audit failure logs is
4625.)
(Practical Question)
The IP address of the attacker is 10.10.1.16. This can be verified by analyzing the Windows.events.evtx file using a tool such as Event Viewer or Log Parser. The file contains several Audit Failure logs with event ID 4625, which indicate failed logon attempts to the system. The logs show that the source network address of the failed logon attempts is 10.10.1.16, which is the IP address of the attacker3. The screenshot below shows an example of viewing one of the logs using Event Viewer4: Reference: Audit Failure Log, [Windows.events.evtx], [Screenshot of Event Viewer showing Audit Failure log]
Pete
4 months agoLonna
4 months agoDahlia
3 months agoKara
3 months agoNickolas
4 months agoChandra
4 months agoBelen
3 months agoKimbery
3 months agoLashanda
3 months agoAntonio
3 months agoLynsey
3 months agoCatalina
4 months agoClarence
4 months agoJeannetta
4 months agoOtis
3 months agoCatherin
3 months agoShawn
3 months agoDannie
3 months agoShalon
3 months agoAileen
3 months agoTamala
4 months agoShanda
4 months agoIrene
5 months agoJeff
4 months agoGolda
4 months agoLawana
4 months agoLoren
5 months agoJenise
5 months agoJanet
5 months agoJillian
5 months agoKanisha
5 months agoRueben
5 months agoErnest
5 months ago