Wazuh Events logs Investigations
247 views
Skip to first unread message
Sandeep Trivedi
Feb 27, 2023, 5:08:30 AM2/27/23
to Wazuh mailing list
Hello,
What is the exact meaning of Successful Remote Logon Detected - NTLM authentication, possible pass-the-hash attack. how to investigate the generated events.
Lucio Donda
Feb 27, 2023, 6:52:50 AM2/27/23
to Wazuh mailing list
Hi Sandeep,
That message can be generated by triggering the rules:
If you look for those MITRE ids you may find this and this.
There you can see that those scenarios are related to authenticating without having the cleartext password (using the hash directly) and using accounts after that.
You can find detection, mitigation, and procedure examples on both links I've shared, mainly improving password security (2factor), applying some patches, etc. But those options can vary on how you've configured that system.
Either way, I think there's plenty of info there, let me know if it helps.
That message can be generated by triggering the rules:
<rule id="92652" level="6">
<if_sid>92651</if_sid>
<field name="win.eventdata.authenticationPackageName" type="pcre2">NTLM</field>
<description>Successful Remote Logon Detected - User:$(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) - NTLM authentication, possible pass-the-hash attack.</description>
<mitre>
<id>T1550.002</id>
<id>T1078.002</id>
</mitre>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
If you look for those MITRE ids you may find this and this.
There you can see that those scenarios are related to authenticating without having the cleartext password (using the hash directly) and using accounts after that.
You can find detection, mitigation, and procedure examples on both links I've shared, mainly improving password security (2factor), applying some patches, etc. But those options can vary on how you've configured that system.
Either way, I think there's plenty of info there, let me know if it helps.
Lucio Donda
Feb 28, 2023, 6:56:21 AM2/28/23
to Wazuh mailing list
Hi Sandeep,
First of all, in order for other users to have access to replies and the whole conversation I encourage you to continue this conversation by answering to all, this way anyone can access it through this google group.
Besides that, what do you mean by a step by step investigation of security events and integrity monitoring in wazuh?
Some of the many features that wazuh has are:
File integrity monitoring (more info here)
Vulnerability detection
Monitoring security policies.
and much more.
Everything is documented on our website. Are you interested in any particular feature? do you have an issue with some implementations?
Have a great day!
First of all, in order for other users to have access to replies and the whole conversation I encourage you to continue this conversation by answering to all, this way anyone can access it through this google group.
Besides that, what do you mean by a step by step investigation of security events and integrity monitoring in wazuh?
Some of the many features that wazuh has are:
File integrity monitoring (more info here)
Vulnerability detection
Monitoring security policies.
and much more.
Everything is documented on our website. Are you interested in any particular feature? do you have an issue with some implementations?
Have a great day!
Reply all
Reply to author
Forward
0 new messages