Security

Windows: Unknown User Name or Bad Password

test_qweqwe
Builder

Hi.
How can I distinguish events with Authentication when «Unknown User Name» and when «Bad Password»?

alt text

Ping me if you need more information 🙂

0 Karma
1 Solution

acharlieh
Influencer

At first, I was going to think of a complicated option, assuming an option where you have a domain environment, you could use SA-ldapsearch to take the username and lookup and see if it exists in the domain.

But a better solution is much easier. You see the Failure Status and Substatus codes? Build a lookup for those... they come out of ntstatus.h. In particular 0xC0000064 means there is no such user, and 0xC000006A means wrong password.

Code List: https://msdn.microsoft.com/en-us/library/cc704588.aspx
Microsoft Windows Vista Security forum question: https://answers.microsoft.com/en-us/windows/forum/windows_vista-security/where-can-i-find-the-full-l...

You can also do some googling for event code 4625 and see what others have to say about it.

View solution in original post

acharlieh
Influencer

At first, I was going to think of a complicated option, assuming an option where you have a domain environment, you could use SA-ldapsearch to take the username and lookup and see if it exists in the domain.

But a better solution is much easier. You see the Failure Status and Substatus codes? Build a lookup for those... they come out of ntstatus.h. In particular 0xC0000064 means there is no such user, and 0xC000006A means wrong password.

Code List: https://msdn.microsoft.com/en-us/library/cc704588.aspx
Microsoft Windows Vista Security forum question: https://answers.microsoft.com/en-us/windows/forum/windows_vista-security/where-can-i-find-the-full-l...

You can also do some googling for event code 4625 and see what others have to say about it.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...