Security

How to audit security logs to find password compromises?

New Member

We audit the security logs looking for password compromises. A user will put the password in as the username and result in a 4625. The user will then log in within minutes on the same machine and show a 4624. We then have the user name and the password.

We currently use the below command. This show us the password comprimise and the workstation name. I am trying to figure out how to add a line to show the 4624's within a 120 seconds of a failed log on.

4625 | stats count by Account_Name, Workstation_Name | sort - Account_Name

0 Karma

Path Finder

To narrow down to a possible password in the username field, you need to add the Sub_Status field for a value of "0xc0000064"
index=wineventlog EventCode=4625 Sub_Status="0xc0000064"
This will return failed logon attempts where "Username does not exist."

The problem you have is that you will have a username that doesn't exist (likely a typo of the user's name, but sometimes is a password) and then you will have a valid username. Therefore, your transaction cannot be by the Account_Name field. If your target is a workstations, you can probably remove Account_Name from the transaction. Things will be more difficult if you're working with an RDP server or something else with lots of logons from different users.

Explore your data with the addition of the Sub_Status - I think that will get you closer to where you want to be.

0 Karma

New Member

index=wineventlog (EventCode=4624 OR EventCode=4625)

| transaction Account_Name, Workstation_Name startswith="EventCode=4625" endswith="EventCode=4624" maxspan=120s

| search EventCode=4624 EventCode=4625 Account_Name!="-"
| table _time Account_Name, Workstation_Name

0 Karma

Legend

Hi thomasbchurch,
to have the 4624 within 120 seconds after 4625 it's easy using transaction command, the problem is to know that it's a compromised password and not a simple logon fail.
Anyway, try:

index=wineventlog (EventCode=4624 OR EventCode=4625) 
| transaction Account_Name, Workstation_Name startswith="EventCode=4625" endswith="EventCode=4624" maxspan=120s
| search EventCode=4624 EventCode=4625 
| table _time Account_Name, Workstation_Name

Bye.
Giuseppe

0 Karma

New Member

That worked thank you! The only issue im running into now is we have alot of system noise that has account names that show up as"-" frequently as 4624's. I can do search NOT Account_Name=- or where Account_Name != "-" however this removes any search with - in it. is there a way to have - removed from just 4624's using the search above?

0 Karma

New Member

index=wineventlog (EventCode=4624 OR EventCode=4625)

| transaction Account_Name, Workstation_Name startswith="EventCode=4625" endswith="EventCode=4624" maxspan=120s

| search EventCode=4624 EventCode=4625 Account_Name!="-"
| table _time Account_Name, Workstation_Name

0 Karma