- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: How to audit security logs to find password co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to audit security logs to find password compromises?
We audit the security logs looking for password compromises. A user will put the password in as the username and result in a 4625. The user will then log in within minutes on the same machine and show a 4624. We then have the user name and the password.
We currently use the below command. This show us the password comprimise and the workstation name. I am trying to figure out how to add a line to show the 4624's within a 120 seconds of a failed log on.
4625 | stats count by Account_Name, Workstation_Name | sort - Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To narrow down to a possible password in the username field, you need to add the Sub_Status field for a value of "0xc0000064"
index=wineventlog EventCode=4625 Sub_Status="0xc0000064"
This will return failed logon attempts where "Username does not exist."
The problem you have is that you will have a username that doesn't exist (likely a typo of the user's name, but sometimes is a password) and then you will have a valid username. Therefore, your transaction cannot be by the Account_Name field. If your target is a workstations, you can probably remove Account_Name from the transaction. Things will be more difficult if you're working with an RDP server or something else with lots of logons from different users.
Explore your data with the addition of the Sub_Status - I think that will get you closer to where you want to be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=wineventlog (EventCode=4624 OR EventCode=4625)
| transaction Account_Name, Workstation_Name startswith="EventCode=4625" endswith="EventCode=4624" maxspan=120s
| search EventCode=4624 EventCode=4625 Account_Name!="-"
| table _time Account_Name, Workstation_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thomasbchurch,
to have the 4624 within 120 seconds after 4625 it's easy using transaction command, the problem is to know that it's a compromised password and not a simple logon fail.
Anyway, try:
index=wineventlog (EventCode=4624 OR EventCode=4625)
| transaction Account_Name, Workstation_Name startswith="EventCode=4625" endswith="EventCode=4624" maxspan=120s
| search EventCode=4624 EventCode=4625
| table _time Account_Name, Workstation_Name
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked thank you! The only issue im running into now is we have alot of system noise that has account names that show up as"-" frequently as 4624's. I can do search NOT Account_Name=- or where Account_Name != "-" however this removes any search with - in it. is there a way to have - removed from just 4624's using the search above?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=wineventlog (EventCode=4624 OR EventCode=4625)
| transaction Account_Name, Workstation_Name startswith="EventCode=4625" endswith="EventCode=4624" maxspan=120s
| search EventCode=4624 EventCode=4625 Account_Name!="-"
| table _time Account_Name, Workstation_Name
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
