detect user account lockout after multiple failed login attempts

259 views
Skip to first unread message

Brummbär

unread,
Jun 19, 2024, 4:17:38 AM6/19/24
to Wazuh | Mailing List

Hi, I use windows endpoints and my goal is to find out whether a useraccount has been locked due to multiple incorrect password attempts

 

First I have created two rules as follows in local_rules.xml:

 

<!-- The rule 100200 is triggered only when rule 100123 was previousy triggered 10 times in 90 seconds  -->

<rule id="100200" level="10" frequency="10" timeframe="90" ignore="3">

    <if_matched_sid>100123</if_matched_sid>

     <description>multiple wrong passwords</description>

    <mitre>

    <id>T1110</id>

    </mitre>

    <group>authentication_failure</group>

</rule>

 

This is triggered 10x and then rule 100200:

<rule id="100123" level="10">

  <if_group>windows</if_group>

  <field name="win.system.eventID">12345</field>

   <description>wrong password</description>

   <group>authentication_failure</group>

</rule>

 

 

This works fine, after 10 failed passwords event 100200 is shown in the dashboard.

 

However, the following doesn't work:

I have add 2 additional rules 100302 and 100002.

My goal is to find out if a user account was locked out due to many failed passwords attempts.


Therefore I want to trigger an event 100302 when both events 100200 and 100002 have occured, i.e when an user account was locked  (100002) after 10 wrong pasword attempts (100200).


So I think that I need an "and" condition like "trigger 100302 only  if "100200 & 100002" have occured"


I have tried to solve this using some combination of <if_sid> and <if_matched_sid> without success, for example:

 

<rule id="100302" level="10" >

  <if_sid>100200,100002</if_sid> #I also tried <if_matched_sid>

       <description>Account locked after 10x wrong password>/description>

       <group>authentication_locked</group>

</rule>

 

The Windows Event 4740 is logged after 10x wrong passwords: (I see this in my eventlog):

<rule id="100002" level="10">

  <if_group>windows</if_group>

  <field name="win.system.eventID">4740</field>

  <description>Account locked</description>

  <group>authentication_locked</group>

</rule>

 

 

What should my rules look like so that I get the following result:

 

10x:

wrong password     (event 100123)

wrong password     (event 100123) 

wrong password     (event 100123)

 

multiple wrong passwords   (event 100200) - after 10x 100123 was triggered

 

Account locked     (event 100002) - after 100200 was triggered

Jeremiah Kolawole

unread,
Jun 19, 2024, 5:08:08 AM6/19/24
to Wazuh | Mailing List
Hello Brummbär,

Please allow me to test this rule in my environment and I'll get back to you with my findings.

Regards
Message has been deleted

Jeremiah Kolawole

unread,
Jun 19, 2024, 7:17:11 AM6/19/24
to Wazuh | Mailing List
Hello  Brummbär,

I have taken a look at the rule and here's my findings

Wazuh has default rules to detect different windows security event including
- User account lockout - multiple login error here
and
- Logon failure - account lockout here

While your first and second rule works well to alert you when there's multiple failed logins, you can create the third rule to meet your use case like below


<rule id="100302" level="10">
<if_matched_sid>100123</if_matched_sid>
<if_sid>100200</if_sid>

<field name="win.system.eventID">4740</field>
<description>Account locked</description>
</rule>

This way, when the two previous rules are triggered, then rule 100302 will get triggered.

I hope this helps.

Regards
Reply all
Reply to author
Forward
0 new messages