Jump to content
Shadoxity

EV - Failed Logins* - making it usable?

Recommended Posts

Hey Guys,

With a couple monitor updates we got this enabled again and got like 8000 entries picked up...

 

Anyone using this monitor to any advantage with usable results?

 

Or should we just disable it.

Share this post


Link to post
Share on other sites

not exactly what you are looking for but may help:

 

we set up a monitor to alert us when a new user is created in AD. All we did was monitor an event log, and made sure the date/time was reported within the last 24 hours.

 

without looking, there may be an event for when a user attempts to login but fails. You can also probably GROUP BY this via SQL or use a COUNT() so as to only report if it fails, in say, 3 attempts or 5, etc.

Share this post


Link to post
Share on other sites

I would also like to find a way to make the Failed Logins monitor usable. Currently the monitor alerts when a user mistypes their password even 1 time. This is creating quite a bit of noise on our service board. Is there a way to make the Failed Logins monitor only alert when there are multiple failed logins from the same user? If not from the same user, can we make it so it only alerts when there are multiple failed logins? What would I need to add to the additional conditions section to accomplish this?

 

Thank you for any assistance.

Share this post


Link to post
Share on other sites

Any tips on the syntax of GROUP BY or COUNT() in the additional conditions box is appreciated. I was hoping the "EV-recurring critical >75 occurrences" would help but it's set up completely different.

Share this post


Link to post
Share on other sites

We made a change to that monitor set to only report account lockouts (mainly for our banking clients). The only change needed is in the Additional Conditions - we changed it to this: eventlogs.EventID in (529,531,539,644,4740,12294) and timegen > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY) AND eventlogs.Message LIKE '%locked out%' Our techs find this to be MUCH more useful.

Share this post


Link to post
Share on other sites

On the server front, we have yet to find a solution. I have searched high and low, best I found was a comprehensive thread about manually editing the SQL database to control monitor thresholds. Even in this post, I was unable to successfully adjust the thresholds. How something so simple as "after 10 failed attempts within 24 hours" has consumed so many hours of research is beyond me. :(

Share this post


Link to post
Share on other sites

I know this is an old topic but I wanted to bump it because i found a way. If you create a new monitor from scratch and set the table to check and field to check lines as RAWSQL you can simply use a SQL query to capture the information you need by placing the query in the additional condition box. The other nice thing about doing it this way is the message line contains the full text of the event log entry. The one i created was to count DNS replication errors and list any server with more than 25 in one day. Using this query you can replace the event id, source, logname and failure counts to use it for any event ID. In mine the evenid and fail counter appear twice, once in the primary and once in a sub query. Let me know if this helps:

 

SELECT

 

cm.name AS 'computername',

cl.name AS 'client_name',

ev.computerid,

ev.source,

ev.logname,

ev.message,

ev.timegen,

ev.eventid,

lg.fails AS 'count',

CASE

WHEN COALESCE(lg.fails, 0) > 25 THEN 'Failed'

END AS 'Status'

FROM `eventlogs` ev

JOIN computers cm ON ev.computerid = cm.computerid

JOIN clients cl ON cm.clientid = cl.clientid

LEFT JOIN (

SELECT

ComputerID,

COUNT(*) AS fails

FROM

eventlogs

WHERE

eventid = 5774 AND eventtype = 1

GROUP BY

ComputerID

) LG ON ev.computerid = lg.computerid

 

WHERE logname = 'System' AND source = 'NETLOGON' AND eventid = 5774 AND ev.timegen > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY) AND lg.fails > 25

GROUP BY ev.computerid

Share this post


Link to post
Share on other sites

The Third Wall plugin includes much more reliable monitor for keeping an eye on failed logons in the field. When you enable our 'Alert on Excessive Failed Logon Events' policy, a few things happen. First, you are given options on what you decide is 'excessive'. Two per hour, 18 per week, whatever threshold you decide is alert-worthy is setable within the plugin. Second, we've applied logic so that only interactive and remote-interactive logons are counted, not automated or service logons. This ensures you are alerted only when you want to be alerted. Finally, you can assign an instant AV scan, network isolation or a simple reboot to occur when the threshold is exceeded. Of course, we'll also notify you with a ticket. (coming soon: auto-lockout!)

 

We included this policy in Third Wall because excessive failed logons tells an important story! When used in conjunction with our 'Enable User Logon Reporting' feature, you have full visibility into the remote environment's sign-on activity and can even deliver automated reports to your customers with it. For more information, check us out! http://www.third-wall.com or just post a question here.

Share this post


Link to post
Share on other sites

I have a monitor for this and it is much better, it filters out the service/network based login rubbish and focuses on Console, Interactive and RemoteInteractive logons. IE - sat in front of PC, RDPing to PC etc.

 

Monitor config here - https://imgur.com/a/lbyyS

 

The SQL is:

 

SELECT 	COUNT(*)	AS TestValue,  
       c.name 		AS IDentityField, 
       c.Computerid 	AS ComputerID, 
       acd.NoAlerts, 
       acd.UpTimeStart, 
       acd.UpTimeEnd
FROM computers c 
JOIN eventlogs e
 ON (e.computerid = c.`ComputerID`)
LEFT JOIN AgentComputerData acd 
 ON (c.computerid = acd.computerid)
WHERE e.EventID IN (529,644,681,4625) AND (e.Message LIKE '%Logon Type:2%' OR e.Message LIKE '%Logon Type:7%' OR e.Message LIKE '%Logon Type:10%')
AND TimeGen > (NOW() - INTERVAL 1 HOUR)
GROUP BY c.`ComputerID`
HAVING TestValue > 8

 

Every single thing that has ever triggered for me on this monitor has been a real concern. You can set the threshold to trigger in terms of number of failed logins by changing the HAVING TESTVALUE to to your relevant time period.

  • Thanks 1

Share this post


Link to post
Share on other sites

Gavsto has a very good solution for this too. But the problem with using a internal monitor here is that the frequency and duration is necessarily static. If you run an internal monitor once-per-hour and look back for a full hour you will get, for the most part, solid results. That's what Gavsto's monitor does here but there is a huge assumption in that logic: it assumes there will be no variances and all targets are online. Offline computers aren't checked and any inconsistency in the monitor execution timing will result in holes in your coverage for all your machines. It also gives a successful attacker up to 60 minutes to purge the eventlogs, in the event of a successful attack.

 

I strongly feel this is an area of concern, so Third Wall uses remote monitors with a five minute interval to check for Excessive Failed Logon Events. Used in correlation with the 'Monitor Event Log Clearing' policy, Third Wall will give you nigh bulletproof returns on this critical information.

Share this post


Link to post
Share on other sites
Gavsto has a very good solution for this too. But the problem with using a internal monitor here is that the frequency and duration is necessarily static. If you run an internal monitor once-per-hour and look back for a full hour you will get, for the most part, solid results. That's what Gavsto's monitor does here but there is a huge assumption in that logic: it assumes there will be no variances and all targets are online. Offline computers aren't checked and any inconsistency in the monitor execution timing will result in holes in your coverage for all your machines. It also gives a successful attacker up to 60 minutes to purge the eventlogs, in the event of a successful attack.

 

I strongly feel this is an area of concern, so Third Wall uses remote monitors with a five minute interval to check for Excessive Failed Logon Events. Used in correlation with the 'Monitor Event Log Clearing' policy, Third Wall will give you nigh bulletproof returns on this critical information.

 

Though it would be relatively simple to set this up as a Powershell Event log check in a remote monitor every five minutes. I'm not sure how the plugin would check offline computers either, if it does that then I'm going to be on board today! ;) I am assuming you mean it checks for the entire period when it comes back online as opposed to just five minutes?

 

As you point out though it has to be used in conjunction with other things. One monitor not maketh the man!

Share this post


Link to post
Share on other sites

I like that: 'One monitor not maketh the man!' Too true! :)

 

This absolutely could be a Powershell Eventlog check. If you're writing one yourself, don't forget to set a 'I just alerted on this time/date' reminder somewhere, otherwise a monitor running every five minutes and looking back a full hour will generate one true alert, then 11 false ones over the next hour on each detection. You'll want to make your script's inspection range dynamic, based on that reminder (when it exists.)

 

It's the second half of your paragraph that has me thinking - while Third Wall in its current state will detect excessive failed logons on disconnected computers (and execute the associated action), the plugin assumes the machine is online and can communicate with your LT server to send in a ticket. We can't make that assumption so we'll have to fix it. That will be done with our next release; offline computers will suppress ticket submits until they are back on the network. I'm embarrassed I hadn't thought of that before now.

 

Thanks for your thoughts! You helped us identify a potential hole in our approach. I'll post back once we have that done and in the soup.

Share this post


Link to post
Share on other sites

Are all your tests run independently on the machine? What I mean by that is what is managing all the settings client side. Do you have a Windows Service running?

Share this post


Link to post
Share on other sites

We piggy-back on the LTService and yes, all our tests and remediations run independently. So long as the LTService is running on the target, all the assigned policies will be managed on the targets, even when they're off network. That's why our conversation rang a bell for me - made it clear that although Third Wall would know when something slipped and would fix it, you would miss notification of that event if the computer was offline.

Share this post


Link to post
Share on other sites

I know this is an old post, but something that will help you gather the events to review in text and add to a ticket, if you get a triggered event.

 

## Quick throw together search for failed logins that I've confirmed works.
Get-EventLog -LogName Security -instanceID @(529,644,681,4625) | Where {$_.Message -like "*Logon Type:`t`t`t2*" -or $_.Message -like "*Logon Type:`t`t`t7*" -or $_.Message -like "*Logon Type:`t`t`t10*"} | FL >> $env:temp\seclog.txt

Share this post


Link to post
Share on other sites

I believe for performance, the Get-WinEvent cmdlet is the fastest option (and is supported in PowerShell 2).  Here is an example on using it, such as could be used in a remote monitor. 

"%windir%\system32\WindowsPowerShell\v1.0\powershell.exe" -command "& {$evtFilter=@{'StartTime'=$([datetime](Get-Date).AddHours(-24)); LogName='Security';  ProviderName='*-Security-*'; ID=(4720);}; $newEvt=Get-WinEvent -FilterHashTable $evtFilter -MaxEvents 1 -EA 0 | Select-Object -Expand TimeCreated; if (($newEvt)) {Write-Output 'OK-EventFound'} ELSE {Write-Output 'WARNING-NoEventFound'}}"

Performance isn't a large concern if you are running a script to collect information only when triggered, so the Get-EventLog example in the previous post might be preferred.

Share this post


Link to post
Share on other sites

We're also using an remote monitor. Since eventlogs get cleared out quickly (DB size) and don't always work right.
Offloading it to the remote agent works well.

I've formatted the output so you group on anything (eg username, IP address, LogonType).
We use this output in a ticket so we can have a technician deep dive into the system

 

%windir%\System32\WindowsPowerShell\v1.0\powershell.exe "Get-EventLog -LogName 'Security' -InstanceId 4625 -After ([DateTime]::Now.AddDays(-1)) -ErrorAction SilentlyContinue | Select-Object TimeGenerated, @{Name='TargetUserName' ; Expression={$_.ReplacementStrings[5]} }, @{Name='WorkstationName' ; Expression={$_.ReplacementStrings[1] -replace '\$$'} }, @{Name='LogonType' ; Expression={$_.ReplacementStrings[10]}}, @{Name='IpAddress' ; Expression={$_.ReplacementStrings[-2]}}, @{Name='IpPort' ; Expression={$_.ReplacementStrings[-5]}} | Where-Object {$_.TargetUserName -ne $env:computername + '$' -and $_.TargetUserName -ne $env:computername -and $_.TargetUserName -ne '-' -and $_.TargetUserName -ne '@'} | Group-Object LogonType, TargetUserName | Where-Object {$_.Count -ge 30} | Sort-Object Count -Descending | FT Count, Name -autosize"

 

  • Thanks 1

Share this post


Link to post
Share on other sites

Have to recommend adding LogonType 3 to your monitor.  2, 5 & 10 are right too, of course but as this page shows (http://techgenix.com/logon-types/), LogonType 3 will also show Network logon attempts.  This will expose that service or printer setup five years ago, was never updated, but continues to try to sign onto your remotes.

Share this post


Link to post
Share on other sites
On 26/02/2018 at 3:16 PM, Wupsje said:

We're also using an remote monitor. Since eventlogs get cleared out quickly (DB size) and don't always work right.
Offloading it to the remote agent works well.

I've formatted the output so you group on anything (eg username, IP address, LogonType).
We use this output in a ticket so we can have a technician deep dive into the system

 


%windir%\System32\WindowsPowerShell\v1.0\powershell.exe "Get-EventLog -LogName 'Security' -InstanceId 4625 -After ([DateTime]::Now.AddDays(-1)) -ErrorAction SilentlyContinue | Select-Object TimeGenerated, @{Name='TargetUserName' ; Expression={$_.ReplacementStrings[5]} }, @{Name='WorkstationName' ; Expression={$_.ReplacementStrings[1] -replace '\$$'} }, @{Name='LogonType' ; Expression={$_.ReplacementStrings[10]}}, @{Name='IpAddress' ; Expression={$_.ReplacementStrings[-2]}}, @{Name='IpPort' ; Expression={$_.ReplacementStrings[-5]}} | Where-Object {$_.TargetUserName -ne $env:computername + '$' -and $_.TargetUserName -ne $env:computername -and $_.TargetUserName -ne '-' -and $_.TargetUserName -ne '@'} | Group-Object LogonType, TargetUserName | Where-Object {$_.Count -ge 30} | Sort-Object Count -Descending | FT Count, Name -autosize"

 

Stupid question but how do I get this into a remote monitor? Do I need to use External EXE check?

Share this post


Link to post
Share on other sites
33 minutes ago, szkoda said:

Stupid question but how do I get this into a remote monitor? Do I need to use External EXE check?

Yeah

Share this post


Link to post
Share on other sites
18 hours ago, szkoda said:

Mind sharing your config?

Sure, does this help you out?
We're settings this on our groups so that it runs on all windows servers.

 

image.png.76984f0e93fcf93e527dd83c24fbe662.png

Share this post


Link to post
Share on other sites
On 2/26/2018 at 10:16 AM, Wupsje said:

We're also using an remote monitor. Since eventlogs get cleared out quickly (DB size) and don't always work right.
Offloading it to the remote agent works well.

I've formatted the output so you group on anything (eg username, IP address, LogonType).
We use this output in a ticket so we can have a technician deep dive into the system

 


%windir%\System32\WindowsPowerShell\v1.0\powershell.exe "Get-EventLog -LogName 'Security' -InstanceId 4625 -After ([DateTime]::Now.AddDays(-1)) -ErrorAction SilentlyContinue | Select-Object TimeGenerated, @{Name='TargetUserName' ; Expression={$_.ReplacementStrings[5]} }, @{Name='WorkstationName' ; Expression={$_.ReplacementStrings[1] -replace '\$$'} }, @{Name='LogonType' ; Expression={$_.ReplacementStrings[10]}}, @{Name='IpAddress' ; Expression={$_.ReplacementStrings[-2]}}, @{Name='IpPort' ; Expression={$_.ReplacementStrings[-5]}} | Where-Object {$_.TargetUserName -ne $env:computername + '$' -and $_.TargetUserName -ne $env:computername -and $_.TargetUserName -ne '-' -and $_.TargetUserName -ne '@'} | Group-Object LogonType, TargetUserName | Where-Object {$_.Count -ge 30} | Sort-Object Count -Descending | FT Count, Name -autosize"

 

This may be a dumb question but how do you get it to dump the output into a ticket?

Share this post


Link to post
Share on other sites

If you set an alert template that creates a ticket and has %RESULT% somewhere in to alert message on failure. you're set.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...