Monitoring Windows AD account lockouts etc

529 views
Skip to first unread message

Stephen Carr

unread,
Feb 23, 2015, 3:28:39 PM2/23/15
to ossec...@googlegroups.com

Hey there all, I’m wading into the realm of Domain Controller security logs and what is possible for filtering events to get a more fine-grained alerting setup based on certain criteria that OSSEC picks up from the windows security event log. I’ve been digging through the msauth XML rules file trying to get a sense of how it all works (plus reading up on building local rules in general) but haven’t been able to figure the full ins and outs of rule criteria and what is in “play” vs what isn’t. The thing with windows auditing of authentication is that many events (including successful ones) can all be grouped under one ID so some of the pre-written rules in that XML file trigger a very broad swathe of events. Long story short, I’d like to use some of the “fine print” in an event to filter out the “noise”. Here is an example of an attempted login to a locked out account in Kerberos:

 

AV - Alert - "1424475022" --> RID: "18105"; RL: "4"; RG: "windows,"; RC: "Windows audit failure event."; USER: "(no user)"; SRCIP: "None"; HOSTNAME: "(DC) 172.16.1.17->WinEvtLog"; LOCATION: "(DC) 192.168.1.1->WinEvtLog"; EVENT: "[INIT]2015 Feb 20 15:30:22 WinEvtLog: Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-Auditing: (no user): no domain: DC.domain.com: Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-361591302-153053782-000000000-0000 Account Name: USER Service Information: Service Name: krbtgt/domain.com Network Information: Client Address: ::ffff:192.168.1.2 Client Port: 32209 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x12 Pre-Authentication Type: 0 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.[END]";  

 

So, as you can see, this lands under rule 18105 due to it being event ID 4771 (much falls under 4771). The key identifier is the part that reads “Failure Code: 0x12”

So, can I build a local rule to override the generic 4771 rule when that failure code is present? I’m assuming I can since the info was sent to OSSEC in the first place but I haven’t been successful. Any thoughts?

Thanks in advance

Steve

Derek Morris

unread,
Feb 24, 2015, 8:55:30 AM2/24/15
to ossec...@googlegroups.com
Would be happy to share my local_rules.xml and the msauth.xml "tweeked" version I use. Let me know

Stephen Carr

unread,
Feb 24, 2015, 4:09:34 PM2/24/15
to ossec...@googlegroups.com
that would be really helpful for sure.
thanks
Steve

gr...@castraconsulting.com

unread,
Feb 24, 2015, 7:37:21 PM2/24/15
to ossec...@googlegroups.com
I would be interested in those as well.

I have a few generic ones for other events of interest (workstation lock, console logon, network logon) but I am missing some good differentiation in failures and 4625 type events (related to your 4771 )

guga...@gmail.com

unread,
Nov 25, 2015, 6:48:14 AM11/25/15
to ossec-list
Hi Derek I have the same issue with event 4771

Could you send me your custom rules?

Ragards

Gustavo

Phillipa Moorea

unread,
Nov 25, 2015, 9:32:09 AM11/25/15
to ossec-list
I would be interested in this as well! Thanks!

namobud...@gmail.com

unread,
Nov 25, 2015, 11:01:28 AM11/25/15
to ossec-list
+1
Reply all
Reply to author
Forward
0 new messages