Security

Windows: Unknown User Name or Bad Password

test_qweqwe
Builder

Hi.
How can I distinguish events with Authentication when «Unknown User Name» and when «Bad Password»?

alt text

Ping me if you need more information 🙂

0 Karma
1 Solution

acharlieh
Influencer

At first, I was going to think of a complicated option, assuming an option where you have a domain environment, you could use SA-ldapsearch to take the username and lookup and see if it exists in the domain.

But a better solution is much easier. You see the Failure Status and Substatus codes? Build a lookup for those... they come out of ntstatus.h. In particular 0xC0000064 means there is no such user, and 0xC000006A means wrong password.

Code List: https://msdn.microsoft.com/en-us/library/cc704588.aspx
Microsoft Windows Vista Security forum question: https://answers.microsoft.com/en-us/windows/forum/windows_vista-security/where-can-i-find-the-full-l...

You can also do some googling for event code 4625 and see what others have to say about it.

View solution in original post

acharlieh
Influencer

At first, I was going to think of a complicated option, assuming an option where you have a domain environment, you could use SA-ldapsearch to take the username and lookup and see if it exists in the domain.

But a better solution is much easier. You see the Failure Status and Substatus codes? Build a lookup for those... they come out of ntstatus.h. In particular 0xC0000064 means there is no such user, and 0xC000006A means wrong password.

Code List: https://msdn.microsoft.com/en-us/library/cc704588.aspx
Microsoft Windows Vista Security forum question: https://answers.microsoft.com/en-us/windows/forum/windows_vista-security/where-can-i-find-the-full-l...

You can also do some googling for event code 4625 and see what others have to say about it.

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!