Silence false/positive alerts - Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication
38 views
Skip to first unread message
EugenX
Dec 10, 2025, 1:33:13 PM (7 days ago) Dec 10
to Wazuh | Mailing List
Hello. I keep on receiving hundreds of false-positive alerts in my slack account, Rule ID 92657 (Level 6).
How to remove trigger alert or to silence it? Need some help with this one, thank you.
Log:
Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that TESTING-PC is allowed to perform RDP connections
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4624","version":"2","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2025-12-10T06:44:14.9584278Z","eventRecordID":"688058","processID":"1128","threadID":"16060","channel":"Security","computer":"John-PC.ga.intranet","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Information:\r\n\tLogon Type:\t\t3\r\n\tRestricted Admin Mode:\t-\r\n\tVirtual Account:\t\tNo\r\n\tElevated Token:\t\tNo\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x1A2D14E0\r\n\tLinked Logon ID:\t\t0x0\r\n\tNetwork Account Name:\t-\r\n\tNetwork Account Domain:\t-\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tTESTING-PC\r\n\tSource Network Address:\t192.168.00.***\r\n\tSource Port:\t\t6404\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x1a2d14e0","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"TESTING-PC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"192.168.**.***","ipPort":"6404","impersonationLevel":"%%1833","virtualAccount":"%%1843","targetLinkedLogonId":"0x0","elevatedToken":"%%1843"}}}
Show less
Agent
(014) - John-PC
Location
EventChannel
Rule ID
92657 (Level 6)
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4624","version":"2","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2025-12-10T06:44:14.9584278Z","eventRecordID":"688058","processID":"1128","threadID":"16060","channel":"Security","computer":"John-PC.ga.intranet","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Information:\r\n\tLogon Type:\t\t3\r\n\tRestricted Admin Mode:\t-\r\n\tVirtual Account:\t\tNo\r\n\tElevated Token:\t\tNo\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x1A2D14E0\r\n\tLinked Logon ID:\t\t0x0\r\n\tNetwork Account Name:\t-\r\n\tNetwork Account Domain:\t-\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tTESTING-PC\r\n\tSource Network Address:\t192.168.00.***\r\n\tSource Port:\t\t6404\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x1a2d14e0","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"TESTING-PC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"192.168.**.***","ipPort":"6404","impersonationLevel":"%%1833","virtualAccount":"%%1843","targetLinkedLogonId":"0x0","elevatedToken":"%%1843"}}}
Show less
Agent
(014) - John-PC
Location
EventChannel
Rule ID
92657 (Level 6)
Olamilekan Abdullateef Ajani
Dec 10, 2025, 2:22:49 PM (7 days ago) Dec 10
to Wazuh | Mailing List
Hello,
There are different ways to go about this. I see this is a "Successful Remote Logon, ANONYMOUS LOGON with logonType 3 which simply means a network type of login, 'Accessed a resource over network.'" This could also mean a possible pass-the-hash or RDP attempt, so you need to be careful and investigate this properly to be sure something else is not going on.
You could silence this with a custom rule here: /var/ossec/etc/rules/local_rules.xml
<group name="custom,">
<rule id="100011" level="0">
<if_sid>92657</if_sid>
<field name="win.eventdata.targetUserName">ANONYMOUS LOGON</field>
<if_sid>92657</if_sid>
<field name="win.eventdata.targetUserName">ANONYMOUS LOGON</field>
<field name="win.eventdata.logonType">^3$</field>
<description>Ignore false positives for anonymous NTLM logon</description>
</rule>
</rule>
</group>
This would help silence events that match the rule 92657, with user ANONYMOUS LOGON with logontype 3.
However, you could also ignore this from source by ensuring the agents don't capture the logs, this means adding the query to the agents' local file.
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event[System/EventID = 4624 and (EventData/Data[@Name='LogonType'] = 3 and EventData/Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON')]</query>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event[System/EventID = 4624 and (EventData/Data[@Name='LogonType'] = 3 and EventData/Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON')]</query>
</localfile>
The above would capture every other logon type except for the logontype 3 which matched the user anonymous.
Reference:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
EugenX
Dec 11, 2025, 10:11:26 AM (6 days ago) Dec 11
to Wazuh | Mailing List
Thank you very much, will test later today.
EugenX
Dec 14, 2025, 5:17:22 PM (3 days ago) Dec 14
to Wazuh | Mailing List
Thank you very, I've been using this rule on the agent side and everything works fine. I have another notification that is killing me, could please help me with the query to use on the agents side? After that I think I will understand how to make my own queries. Thank you in advance.
Wazuh Notification.
2025 Dec 12 12:55:12
Received From: (Test-PC) any->EventChannel
Rule: 92214 fired (level 15) -> "Suspicious file created by Microsoft Office process: C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE created C:\\Users\\test.user\\AppData\\Roaming\\Microsoft\\Office\\Recent\\New-Policy-2025.LNK"
User: RT\test.user"
Portion of the log(s):
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-12-12T10:55:11.1222325Z","eventRecordID":"12713268","processID":"4656","threadID":"7000","channel":"Microsoft-Windows-Sysmon/Operational","computer":"Test-PC.RT.intranet","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: technique_id=T1187,technique_name=Forced Authentication\r\nUtcTime: 2025-12-12 10:55:11.116\r\nProcessGuid: {f0f0f557-f0ec-693b-043b-000000001300}\r\nProcessId: 26052\r\nImage: C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\r\nTargetFilename: C:\\Users\\test.user\\AppData\\Roaming\\Microsoft\\Office\\Recent\\New-Policy-2025.LNK\r\nCreationUtcTime: 2025-12-12 10:39:42.190\r\nUser: RT\\test.user\""},"eventdata":{"ruleName":"technique_id=T118
7,technique_name=Forced Authentication","utcTime":"2025-12-12 10:55:11.116","processGuid":"{f0f0f557-f0ec-693b-043b-000000001300}","processId":"26052","image":"C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\Office16\\\\WINWORD.EXE","targetFilename":"C:\\\\Users\\\\test.user\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\New-Policy-2025.LNK","creationUtcTime":"2025-12-12 10:39:42.190","user":"RT\\\\test.user"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
win.system.eventID: 11
win.system.version: 2
win.system.level: 4
win.system.task: 11
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2025-12-12T10:55:11.1222325Z
win.system.eventRecordID: 12713268
win.system.processID: 4656
win.system.threadID: 7000
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: Test-PC.RT.intranet
win.system.severityValue: INFORMATION
win.system.message: "File created:
RuleName: technique_id=T1187,technique_name=Forced Authentication
UtcTime: 2025-12-12 10:55:11.116
ProcessGuid: {f0f0f557-f0ec-693b-043b-000000001300}
ProcessId: 26052
Image: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
TargetFilename: C:\Users\test.user\AppData\Roaming\Microsoft\Office\Recent\New-Policy-2025.LNK
CreationUtcTime: 2025-12-12 10:39:42.190
win.eventdata.ruleName: technique_id=T1187,technique_name=Forced Authentication
win.eventdata.utcTime: 2025-12-12 10:55:11.116
win.eventdata.processGuid: {f0f0f557-f0ec-693b-043b-000000001300}
win.eventdata.processId: 26052
win.eventdata.image: C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE
win.eventdata.targetFilename: C:\\Users\\test.user\\AppData\\Roaming\\Microsoft\\Office\\Recent\\New-Policy-2025.LNK
win.eventdata.creationUtcTime: 2025-12-12 10:39:42.190
win.eventdata.user: RT\\test.user
--END OF NOTIFICATION
2025 Dec 12 12:55:12
Received From: (Test-PC) any->EventChannel
Rule: 92214 fired (level 15) -> "Suspicious file created by Microsoft Office process: C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE created C:\\Users\\test.user\\AppData\\Roaming\\Microsoft\\Office\\Recent\\New-Policy-2025.LNK"
User: RT\test.user"
Portion of the log(s):
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-12-12T10:55:11.1222325Z","eventRecordID":"12713268","processID":"4656","threadID":"7000","channel":"Microsoft-Windows-Sysmon/Operational","computer":"Test-PC.RT.intranet","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: technique_id=T1187,technique_name=Forced Authentication\r\nUtcTime: 2025-12-12 10:55:11.116\r\nProcessGuid: {f0f0f557-f0ec-693b-043b-000000001300}\r\nProcessId: 26052\r\nImage: C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\r\nTargetFilename: C:\\Users\\test.user\\AppData\\Roaming\\Microsoft\\Office\\Recent\\New-Policy-2025.LNK\r\nCreationUtcTime: 2025-12-12 10:39:42.190\r\nUser: RT\\test.user\""},"eventdata":{"ruleName":"technique_id=T118
7,technique_name=Forced Authentication","utcTime":"2025-12-12 10:55:11.116","processGuid":"{f0f0f557-f0ec-693b-043b-000000001300}","processId":"26052","image":"C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\Office16\\\\WINWORD.EXE","targetFilename":"C:\\\\Users\\\\test.user\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\New-Policy-2025.LNK","creationUtcTime":"2025-12-12 10:39:42.190","user":"RT\\\\test.user"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
win.system.eventID: 11
win.system.version: 2
win.system.level: 4
win.system.task: 11
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2025-12-12T10:55:11.1222325Z
win.system.eventRecordID: 12713268
win.system.processID: 4656
win.system.threadID: 7000
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: Test-PC.RT.intranet
win.system.severityValue: INFORMATION
win.system.message: "File created:
RuleName: technique_id=T1187,technique_name=Forced Authentication
UtcTime: 2025-12-12 10:55:11.116
ProcessGuid: {f0f0f557-f0ec-693b-043b-000000001300}
ProcessId: 26052
Image: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
TargetFilename: C:\Users\test.user\AppData\Roaming\Microsoft\Office\Recent\New-Policy-2025.LNK
CreationUtcTime: 2025-12-12 10:39:42.190
win.eventdata.ruleName: technique_id=T1187,technique_name=Forced Authentication
win.eventdata.utcTime: 2025-12-12 10:55:11.116
win.eventdata.processGuid: {f0f0f557-f0ec-693b-043b-000000001300}
win.eventdata.processId: 26052
win.eventdata.image: C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE
win.eventdata.targetFilename: C:\\Users\\test.user\\AppData\\Roaming\\Microsoft\\Office\\Recent\\New-Policy-2025.LNK
win.eventdata.creationUtcTime: 2025-12-12 10:39:42.190
win.eventdata.user: RT\\test.user
--END OF NOTIFICATION
Olamilekan Abdullateef Ajani
Dec 15, 2025, 8:26:09 AM (2 days ago) Dec 15
to Wazuh | Mailing List
Hello once again,
Glad the initial issue has been fixed. The new issue you shared originates from sysmon, which is not part of the default Windows event channel log monitoring; however, events can be collected through this method, as you have done.
To filter this out, my suggestion would be from the source, sysmon.
You can edit your sysmon.exe -c configuration.
Check the service: Get-Service | Where-Object {$_.Name -like "*sysmon*"}
Then export the current configuration: sysmon64.exe -s > C:\current-sysmon-config.txt
You can use the filter below based on the alert you shared:
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Exclude Office Recent LNK files from Event ID 11 -->
<FileCreate onmatch="exclude">
<TargetFilename condition="contains">\Office\Recent\</TargetFilename>
<TargetFilename condition="end with">.LNK</TargetFilename>
</FileCreate>
<!-- Add more exclusions as needed -->
<FileCreate onmatch="exclude">
<TargetFilename condition="contains">\AppData\Local\Temp\</TargetFilename>
</FileCreate>
</EventFiltering>
</Sysmon>
Check the service: Get-Service | Where-Object {$_.Name -like "*sysmon*"}
Then export the current configuration: sysmon64.exe -s > C:\current-sysmon-config.txt
You can use the filter below based on the alert you shared:
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Exclude Office Recent LNK files from Event ID 11 -->
<FileCreate onmatch="exclude">
<TargetFilename condition="contains">\Office\Recent\</TargetFilename>
<TargetFilename condition="end with">.LNK</TargetFilename>
</FileCreate>
<!-- Add more exclusions as needed -->
<FileCreate onmatch="exclude">
<TargetFilename condition="contains">\AppData\Local\Temp\</TargetFilename>
</FileCreate>
</EventFiltering>
</Sysmon>
Create the template: sysmon-check.xml
Apply the configuration and test: sysmon64.exe -c C:\sysmon-config.xml
The commands would run a powershell admin.
Please let me know what you find.
Reply all
Reply to author
Forward
0 new messages