Windows EventID 4625 Pipeline

@tmacgbay Thanks :smiley: I had to save it. I feel a ripple in the force, I might need this later.

rule "bad_password_rule"
when
    // Bad Password
    to_string($message.winlog_event_id) == "4625"             
then

    let subject_0 = concat("PW-BAD: ", to_string($message.winlog_event_data_TargetUserName));
    let subject_1 = concat(subject_0, " connecting to ");
    let subject_fin = concat(subject_1, to_string($message.winlog_host_name));
    set_field("short_detail", subject_fin);
    //
    // create detail of alert
    let LogonTypeNumber = to_string($message.winlog_event_data_LogonType);  //logon type... interactive, batch, etc...
    let LogonTypeResult = lookup_value("winLogonType",LogonTypeNumber, 0);  //Lookup logon type against bre-built table
    let LogonTypeErr    = lookup_value("WinLogonErr" ,to_string($message.winlog_event_data_SubStatus), 0);  //lookup error reason in pre-built table.
    let build_mess_0    = concat("Failed Password Attempt - ",  to_string($message.winlog_event_data_TargetUserName));  //build out explanation for Error message
    let build_mess_1    = concat(build_mess_0, " attempting to log in to ");
    let build_mess_2    = concat(build_mess_1, to_string($message.winlog_event_SubjectDomainName));
    let build_mess_3    = concat(build_mess_2, "-");
    let build_mess_4    = concat(build_mess_3, to_string($message.winlog_host_name));
    let build_mess_5    = concat(build_mess_4, ". Logon Type: ");
    let build_mess_6    = concat(build_mess_5, to_string(LogonTypeResult));
    let build_mess_7    = concat(build_mess_6, ". Attempt came from: ");
    let build_mess_8    = concat(build_mess_7, to_string($message.winlog_event_data_WorkstationName));
    let build_mess_9    = concat(build_mess_8, ".  ERROR: ");
    let build_mess_fin  = concat(build_mess_9, to_string(LogonTypeErr));
    set_field("the_explanation", build_mess_fin);
    route_to_stream("security_reports");
end

Description from here

1 Like

Tables:
winLogonType

"number","type"
"0","System"
"2","Interactive"
"3","Network"
"4","Batch"
"5","Service"
"7","Unlock"
"8","NetworkClearText"
"9","NewCredentials"
"10","RemoteInteractive"
"11","CachedInteractive(storedCredentials)"
"12","CachedRemoteInteractive(storedCredentials-internalAuditing)"
"13","CachedUnlock"

WinLogonErr

"err_code", "explanation"
"0x6", "Bad username - kerberos"
"0x7", "New computer account(?) - kerberos"
"0x9", "Administrator should reset password - kerberos"
"0xC", "Workstation Restriction - kerberos"
"0x12", "Account Disabled, expired, locked out, logon hours restriction - kerberos"
"0x17", "The users password has expired - kerberos"
"0x18", "Bad Password - kerberos"
"0x20", "Frequently logged by computer accounts - kerberos"
"0x25", "Workstation clock too far out of sync with the DCs - kerberos"
"0xC0000064", "User name does not exist - NTLM"
"0xC000006A", "User name is correct but the password is wrong - NTLM"
"0xC0000234", "User is currently locked out - NTLM"
"0xC0000072", "Account is currently disabled - NTLM"
"0xC000006F", "User tried to logon outside his day of week or time of day restrictions - NTLM"
"0xC0000070", "Workstation restriction - NTLM"
"0xC00000193", "Account expiration - NTLM"
"0xC0000071", "Expired password - NTLM"
"0xC0000133", "Clocks between DC and other computer too far out of sync - NTLM"
"0xC0000224", "User is required to change password at next logon - NTLM"
"0xC0000225", "Evidently a bug in Windows and not a risk (per ultimateITSecurity.com) - NTLM"
"0xC000015b", "The user has not been granted the requested logon type (aka logon right) at this machine - NTLM"

1 Like