Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92

Closed
JeffAWarren opened this issue Jun 22, 2017 · 2 comments
Closed

lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92

JeffAWarren opened this issue Jun 22, 2017 · 2 comments

Comments

@JeffAWarren
Copy link

I noticed when using the lsadump::changentlm and lsadump::setntlm, that the SETPASSWORD privilege is still being requested. I see the following information in my Active Directory event logs after performing a password change:
*Event 4661 with privilege request for SetPassword (without knowledge of old password) (screenshot attached)
*Event 4723 for an attempt made to change an account's password
*Event 4738 for a user account being changed for the Password Last Set value

Domain Controller is Windows Server 2016:
Major: 10
Minor: 0
Build: 14393
Revision: 0
event4661
@gentilkiwi
Copy link
Owner

Hmm, I don't see the issue in your message

@JeffAWarren
Copy link
Author

I may have misunderstood the intent of this command. I thought it would update the NTLM for a user without triggering the SETPASSWORD flag and avoid detection in event logs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gentilkiwi @JeffAWarren