What's a good approach to finding the source application that's attempting to access a database with an incorrect password?

In order to improve our security posture, we changed several dozen internal applications over to using a new username and password to access an AS400 database a few months back.

However, there is some mystery process running on a Windows Server (that hosts our main SQL Server instance) that is still hitting the AS400 with the previous username and password. AS400 logs show that the source is this particular Windows Server.

We have searched everything we could think of to find where this old user/pass is being used.

• We changed over our linked servers in SQL Server.
• We disabled SQL Agent on that server.
• We check Services within Windows Server.
• We checked Windows Server scheduled tasks.
• I ran Wireshark for 20 minutes to see if I could get a network trace that would provide some clue.

We're running out of ideas. What could you recommend we do to try to locate the source application that is using the old username and password to our AS400?

SysInternal's Procmon for GUI, or Sysmon if you have any kind of SOC/NOC/MSSP to receive the logs and analyze them.

With procmon, just wait and see which application tried to contact said SQL server.

Ideally, I'd recommend to try running sysmon ( and WinLogBeat ) to ship logs to an ELK instance ( there is a free daily 1GB on Logz.io that I use on my own lab ).