Re: Multiple Windows Logon Failures.

[Jesus Linares]

Hi,

the current rule for Multiple Windows Logon Failures doesn't take into account the user, just it is looking for the win_authentication_failed group.

  <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_group>win_authentication_failed</if_matched_group>
    <description>Multiple Windows Logon Failures.</description>
    <group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,</group>
  </rule>

You could use the <same_user/> tag like in this rule: 

  <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_sid>18108</if_matched_sid>
    <same_user />
    <description>Windows: Multiple failed attempts to perform a privileged operation by the same user.</description>
    <group>pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,</group>
  </rule>

same_user is looking for the "dstuser" field.

Let me know if you have any questions.

Regards.

On Monday, July 31, 2017 at 1:03:08 PM UTC+2, Kurtuluş Karasu wrote:

hi

too many  occur Multiple Windows Logon Failures But not same user

how can i do it same user before  Multiple Windows Logon Failures

Decoder is not real same user

2017 Jul 31 13:45:22 WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
DC.hacker.testlab: An account failed to log on. Subject:  Security ID:
 S-1-5-18  Account Name:  DC$  Account Domain:  HACKER  Logon ID:
0x3e7  Logon Type:   7  Account For Which Logon Failed:  Security ID:
S-1-0-0  Account Name:  Administrator  Account Domain:  HACKER
Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d
Sub Status:  0xc000006a  Process Information:  Caller Process ID:
0x1a0  Caller Process Name: C:\Windows\System32\winlogon.exe  Network
Information:  Workstation Name: DC  Source Network Address: 127.0.0.1
Source Port:  0  Detailed Authentication Information:  Logon Process:
User32   Authentication Package: Negotiate  Transited Services: -
Package Name (NTLM only): -  Key Length:  0  This event is generated
when a logon request fails. It is generated on the computer where
access was attempted.


**Phase 1: Completed pre-decoding.
       full event: '2017 Jul 31 13:45:22 WinEvtLog: Security:
AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user):
no domain: DC.hacker.testlab: An account failed to log on. Subject:
Security ID:  S-1-5-18  Account Name:  DC$  Account Domain:  HACKER
Logon ID:  0x3e7  Logon Type:   7  Account For Which Logon Failed:
Security ID:  S-1-0-0  Account Name:  Administrator  Account Domain:
HACKER  Failure Information:  Failure Reason:  %%2313  Status:
0xc000006d  Sub Status:  0xc000006a  Process Information:  Caller
Process ID: 0x1a0  Caller Process Name:
C:\Windows\System32\winlogon.exe  Network Information:  Workstation
Name: DC  Source Network Address: 127.0.0.1  Source Port:  0  Detailed
Authentication Information:  Logon Process:  User32   Authentication
Package: Negotiate  Transited Services: -  Package Name (NTLM only): -
 Key Length:  0  This event is generated when a logon request fails.
It is generated on the computer where access was attempted.'
       hostname: 'localhost'
       program_name: 'WinEvtLog'
       log: 'Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
DC.hacker.testlab: An account failed to log on. Subject:  Security ID:
 S-1-5-18  Account Name:  DC$  Account Domain:  HACKER  Logon ID:
0x3e7  Logon Type:   7  Account For Which Logon Failed:  Security ID:
S-1-0-0  Account Name:  Administrator  Account Domain:  HACKER
Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d
Sub Status:  0xc000006a  Process Information:  Caller Process ID:
0x1a0  Caller Process Name: C:\Windows\System32\winlogon.exe  Network
Information:  Workstation Name: DC  Source Network Address: 127.0.0.1
Source Port:  0  Detailed Authentication Information:  Logon Process:
User32   Authentication Package: Negotiate  Transited Services: -
Package Name (NTLM only): -  Key Length:  0  This event is generated
when a logon request fails. It is generated on the computer where
access was attempted.'

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'AUDIT_FAILURE'
       id: '4625'
       extra_data: 'Microsoft-Windows-Security-Auditing'
       dstuser: '(no user)'
       system_name: 'DC.hacker.testlab'
       account_name: 'DC$'
       account_domain: 'HACKER'
       logon_id: '0x3e7'
       srcip: '127.0.0.1'

**Phase 3: Completed filtering (rules).
       Rule id: '18130'
       Level: '5'
       Description: 'Windows: Logon Failure - Unknown user or bad password.'
       Info - Link: 'http://www.ultimatewindowssecurity.com/events/com190.html'
**Alert to be generated.


Regards,
Kurtuluş