Linux Authentications
sourcetype="linux_secure" "Accepted Publickey" OR "session opened" OR "Accepted password"
| stats count by host ip user app
| eval bar="("+count+") "+ip
| eval bar_host="("+count+") "+host
| stats list(bar) as "(#) source(s)" values(bar_host) as "(#) host(s)" list(desc) as source_desc by app user
Passwords Never Changed - Active Accounts:
| ldapsearch domain=default search="(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(userAccountControl:1.2.840.113556.1.4.803:=65536))" attrs="sAMAccountName,pwdLastSet" | table sAMAccountName, dn, pwdLastSet
Passwords Last Changed - Active Accounts:
| ldapsearch domain="default" search="(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,pwdLastSet" | table sAMAccountName, pwdLastSet
Check for Disabled User Accounts:
| ldapsearch domain="default" search="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" attrs="sAMAccountName" | table sAMAccountName,dn
RDP Connections
index=wineventlog EventCode=4624 Logon_Type=2 OR Logon_Type=10 Source_Network_Address!="192.168.9.9" | table _time,Account_Domain,Account_Name,action,app,command,user,src,src_user,dest
Identify Windows account password changes:
index=wineventlog source="*:Security" (EventCode=4723 OR EventCode=4724) | table host,source,action,dvc,name,user,user_group
Identify Windows security-related logon session events:
index=wineventlog source="*:Security" (EventCode=4624 OR EventCode=4647) | search user!="SYSTEM" | table _time,host,source,action,name,user,user_group
Identify Windows account disabled events:
index=wineventlog source="*:Security" (EventCode=4725 OR EventCode=4726) | table _time,host,source,action,name,user,user_group
Identify Windows account logon events:
index=wineventlog source="*:Security" EventCode=4624 Logon_Type!=3 | search user!="SYSTEM" | table host,source,action,dvc,name,user,user_group
Detect Windows account logoff events:
index=wineventlog source="*:Security" EventCode=4634 | table host,source,action,dvc,name,user,user_group
Monitor Windows account creations:
index=wineventlog source="*:Security" (EventCode=4720 OR EventCode=4722) | table host,source,action,dvc,name,user,user_group
Monitor successful logins on Windows:
index=wineventlog source="*:Security" EventCode=4624 | table host,source,action,app,dvc,name,user,user_group
Identify Windows security-related policy changes:
index=wineventlog source="*:Security" (EventCode=4719 OR EventCode=4904 OR EventCode=4905) | table _time,host,source,action,subject,user,object_attrs
Identify failed login attempts on Windows:
index=wineventlog source="*:Security" EventCode=4625
Detect account lockouts on Windows:
index=wineventlog source="*:Security" EventCode=4740
Identify Windows security group modifications:
index=wineventlog source="*:Security" (EventCode=4727 OR EventCode=4728 OR EventCode=4731)
Detect changes to Windows security policy settings:
index=wineventlog source="*:Security" EventCode=4704
Identify Windows process creations:
index=wineventlog source="*:Security" EventCode=4688
Monitor Windows firewall rule modifications:
index=wineventlog source="*:Security" EventCode=2004
Detect Windows system shutdown or restart events:
index=wineventlog source="*:Security" (EventCode=4608 OR EventCode=4609)
Monitor Windows service creation or modification events:
index=wineventlog source="*:Security" (EventCode=4697 OR EventCode=4698)
Monitor Windows account lockout duration and threshold changes:
index=wineventlog source="*:Security" EventCode=4767
Monitor Windows file and folder permission changes:
index=wineventlog source="*:Security" (EventCode=4663 OR EventCode=4670)
Detect Windows account privilege changes:
index=wineventlog source="*:Security" (EventCode=4672 OR EventCode=4673)
Monitor Windows registry modification events:
index=wineventlog source="*:Security" (EventCode=4657 OR EventCode=4658)
Identify Windows security-related audit policy changes:
index=wineventlog source="*:Security" (EventCode=4718 OR EventCode=4907)
Monitor Windows account password reset events:
index=wineventlog source="*:Security" (EventCode=4724 OR EventCode=4726)
Identify Windows account group membership changes:
index=wineventlog source="*:Security" (EventCode=4728 OR EventCode=4732)
Detect Windows account impersonation events:
index=wineventlog source="*:Security" EventCode=4648 | table _time,host,source,action,name,user,user_group
Monitor Windows security-related account management events:
index=wineventlog source="*:Security" EventCode=4648 | table _time,host,source,action,name,user,user_group
Identify Windows process termination events:
index=wineventlog source="*:Security" EventCode=4689
Monitor Windows account privilege use events:
index=wineventlog source="*:Security" EventCode=4674
Identify Windows security-related user rights assignment changes:
index=wineventlog source="*:Security" EventCode=4703
Detect Windows account password hash changes:
index=wineventlog source="*:Security" (EventCode=4781 OR EventCode=4782)
Monitor Windows account password expiration events:
index=wineventlog source="*:Security" (EventCode=642 OR EventCode=648)
Identify Windows security-related log management events:
index=wineventlog source="*:Security" (EventCode=1102 OR EventCode=1104)
Monitor Windows account password policy changes:
index=wineventlog source="*:Security" EventCode=4713
Identify Windows account password expiration reminders:
index=wineventlog source="*:Security" (EventCode=768 OR EventCode=769)
Detect Windows account password history changes:
index=wineventlog source="*:Security" (EventCode=4780 OR EventCode=4783)
Monitor Windows account password failed attempts:
index=wineventlog source="*:Security" (EventCode=4625 AND Logon_Type=10)
Identify Windows security-related object access events:
index=wineventlog source="*:Security" (EventCode=4660 OR EventCode=4661 OR EventCode=4662)
Monitor Windows account privilege escalation events:
index=wineventlog source="*:Security" EventCode=4672 Logon_Type=3
Identify Windows security-related account logon failures:
index=wineventlog source="*:Security" EventCode=4625 Logon_Type=2
Detect Windows account password policy enforcement events:
index=wineventlog source="*:Security" (EventCode=4508 OR EventCode=4509)
Monitor Windows account password changes made by other users:
index=wineventlog source="*:Security" (EventCode=4784 OR EventCode=4785)
Identify Windows security-related security log management events:
index=wineventlog source="*:Security" (EventCode=1100 OR EventCode=1108)
Monitor Windows account password expiration warnings:
index=wineventlog source="*:Security" EventCode=769
Detect Windows account privilege use failures:
index=wineventlog source="*:Security" EventCode=4673
Monitor Windows account logon failures due to account restriction:
index=wineventlog source="*:Security" EventCode=4625 Failure_Reason="Account restriction"
Monitor Windows account logon events with non-standard logon types:
index=wineventlog source="*:Security" EventCode=4624 Logon_Type!=2 Logon_Type!=3 Logon_Type!=10
Detect Windows account logon events with failed authentication:
index=wineventlog source="*:Security" EventCode=4625 Logon_Type=3 Status="0xC000006D"
Monitor Windows account password change failures:
index=wineventlog source="*:Security" EventCode=627
Identify Windows security-related events for changes in system audit policy:
index=wineventlog source="*:Security" EventCode=4706
Monitor Windows account logon events with failed network authentication:
index=wineventlog source="*:Security" EventCode=4625 Logon_Type=3 Failure_Reason="Network Error"
Identify Windows security-related events for changes in user rights assignment:
index=wineventlog source="*:Security" EventCode=4702
Detect Windows account logon events with expired passwords:
index=wineventlog source="*:Security" EventCode=4625 Failure_Reason="Expired Password"
Monitor Windows account password changes made by privileged accounts:
index=wineventlog source="*:Security" (EventCode=4784 OR EventCode=4785) Account_Name!="SYSTEM" Account_Name!="Administrator"
Identify Windows security-related events for changes in trusted domain settings:
index=wineventlog source="*:Security" EventCode=4707
Monitor Windows account logon events with failed Kerberos pre-authentication:
index=wineventlog source="*:Security" EventCode=4625 Logon_Type=3 Failure_Reason="KDC_ERR_PREAUTH_FAILED"
Identify Windows security-related events for changes in security log settings:
index=wineventlog source="*:Security" EventCode=4719
Detect Windows account logon events with invalid workstation or server name:
index=wineventlog source="*:Security" EventCode=4625 Logon_Type=3 Failure_Reason="Unknown user name or bad password"
Monitor Windows account password changes made by service accounts:
index=wineventlog source="*:Security" (EventCode=4784 OR EventCode=4785) Account_Name="*SERVICE*"
Identify Windows security-related events for changes in audit policy subcategory settings:
index=wineventlog source="*:Security" EventCode=4718
Monitor Windows account logon events with failed smart card authentication:
index=wineventlog source="*:Security" EventCode=4625 Logon_Type=3 Failure_Reason="Smart Card Logon Failed"
Identify Windows security-related events for changes in account logon settings:
index=wineventlog source="*:Security" (EventCode=4716 OR EventCode=4717)
Detect Windows account logon events with expired or disabled accounts:
index=wineventlog source="*:Security" EventCode=4625 Failure_Reason="User Account Expired" OR Failure_Reason="Account Disabled"
Monitor Windows account password changes made with elevated privileges:
index=wineventlog source="*:Security" (EventCode=4784 OR EventCode=4785) Privileged_Account=true
Identify Windows security-related events for changes in account logon policies:
index=wineventlog source="*:Security" EventCode=4715
Monitor Windows account logon events with failed NTLM authentication:
index=wineventlog source="*:Security" EventCode=4625 Logon_Type=3 Failure_Reason="NTLM blocked"
Identify Windows security-related events for changes in group account settings:
index=wineventlog source="*:Security" (EventCode=4727 OR EventCode=4729 OR EventCode=4733)
Detect Windows account logon events with expired or disabled passwords:
index=wineventlog source="*:Security" EventCode=4625 Failure_Reason="Expired Password" OR Failure_Reason="Disabled Account"
Monitor Windows account password changes made by remote systems:
index=wineventlog source="*:Security" (EventCode=4784 OR EventCode=4785) Workstation_Name!="*LOCAL*"
Identify Windows security-related events for changes in audit policy category settings:
index=wineventlog source="*:Security" (EventCode=4717 OR EventCode=4906)
Member Added/Removed
host="*" index="wineventlog" EventCode=4761 OR EventCode=4762 OR EventCode=4728 OR EventCode=4729 |eval time = strftime(_time,"%c") |table time,name,MemberName,Group_Name,src_user |rename time as "Time" , name as "Action" , MemberName as "Member Name Added/Removed" , Group_Name as "Group Name" , src_user as "Member Added/Removed By :"
Security Group mgmt changed:
host="*" index="wineventlog" EventCode=4735 OR EventCode=4737 |eval time = strftime(_time,"%c") |table time,name,src_user,TargetUserName,dest,session_id |rename time as "Time" , name as "Action" , src_user as "Source User", TargetUserName as " Target Group " , dest as " Destination DC" , session_id as "Session ID"
User Enabled/Disabled:
host="*" index="wineventlog" EventCode=4722 OR EventCode=4725 |eval time = strftime(_time,"%c") |table time,name,user,src_user |rename time as "Time" , name as "Action" , user as "Target User" , src_user as "Account Enabled/Disabled By"
UserAccount Locked/Unlocked:
host="*" index="wineventlog" signature="A user account was locked out" OR signature="A user account was unlocked" |eval time = strftime(_time,"%c") |table time,dest_nt_domain,Group_Name,name,src_user |rename time as "Time" , Group_Name as "User Name" , dest_nt_domain as "Hostname", name as "Action" , src_user as "Locked/Unlocked By"
UserAccount Changed:
host="*" index="wineventlog" signature="A user account was changed" |eval time = strftime(_time,"%c") |table time,name,user,src_user,dest |rename time as "Time" , name as "Action" , user as " Target User" , src_user as "Changed By" , dest as "Destination DC"
User Created:
host="*" index="wineventlog" EventCode=4720 |eval time = strftime(_time,"%c") |table time,name,user,Logon_ID,src_user,dest |rename time as "Time" , name as "Action" , user as "Created User" , Logon_ID as "Session ID" ,src_user as "User Created By :", dest as "Destination DC"
Domain Policy Changed/Reset Passowrd:
index="wineventlog" signature="An attempt was made to change an account's password" OR signature="An attempt was made to reset an accounts password" |eval time = strftime(_time,"%c") |table time,name,user,src_user |rename time as "Time" , name as "Action" , user as "Target User" , src_user as "Password Changed/Reset By"
User Deleted By Admin:
host="*" index="wineventlog" EventCode=4726 |eval time = strftime(_time,"%c") |table time,name,src_user,user,dest |rename time as "Time" , name as "Action" , src_user as "Deleted By : ", user as "Deleted User: " , dest as "Destination DC"
| Windows Event ID | Event Summary |
|---|---|
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4723 | An attempt was made to change an account's password |
| 4724 | An attempt was made to reset an accounts password |
| 4725 | A user account was disabled |
| 4726 | A user account was deleted |
| 4738 | A user account was changed |
| 4781 | The name of an account was changed |
| 4782 | The password hash an account was accessed |
| 4624 | An account was successfully logged on |
| 4740 | A user account was locked out |
| 4634 | An account was logged off |
| 4625 | An account failed to log on |
| 4648 | A logon was attempted using explicit credentials |
| 4732 | A member was added to a security-enabled local group |
| 4728 | A member was added to a security-enabled global group |
| 4756 | A member was added to a security-enabled universal group |
| 4733 | A member was removed from a security-enabled local group |
| 4729 | A member was removed from a security-enabled global group |
| 4757 | A member was removed from a security-enabled universal group |
| 4657 | A registry value was modified |
| 4672 | Special privileges assigned to new logon |
| 4697 | A service was installed in the system |
| 4698 | A scheduled task was created |
| 4699 | A scheduled task was deleted |
| 4700 | A scheduled task was enabled |
| 4701 | A scheduled task was disabled |
| 4702 | A scheduled task was updated |
| 4608 | Windows is starting up |
| 4609 | Windows is shutting down |
| 4800 | The workstation was locked |
| 4801 | The workstation was unlocked |
Failure Information:
The section explains why the logon failed.
Failure Reason: textual explanation of logon failure.
Status and Sub Status: Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.
| Status and Sub Status Codes | Description (not checked against "Failure Reason:") |
|---|---|
| 0xC0000064 | user name does not exist |
| 0xC000006A | user name is correct but the password is wrong |
| 0xC0000234 | user is currently locked out |
| 0xC0000072 | account is currently disabled |
| 0xC000006F | user tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller) |
| 0xC0000193 | account expiration |
| 0xC0000071 | expired password |
| 0xC0000133 | clocks between DC and other computer too far out of sync |
| 0xC0000224 | user is required to change password at next logon |
| 0xC0000225 | evidently a bug in Windows and not a risk |
| 0xc000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
Logon Types
| Logon Type | # | Authenticators Accepted | Reusable Credentials in LSA Session | Examples |
|---|---|---|---|---|
| Interactive (also known as, Logon locally) | 2 | Password, Smartcard,other | Yes | Console logon;RUNAS;Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)IIS Basic Auth (before IIS 6.0) |
| Network | 3 | Password,NT Hash,Kerberos ticket | No (except if delegation is enabled, then Kerberos tickets present) | NET USE;RPC calls;Remote registry;IIS integrated Windows auth;SQL Windows auth; |
| Batch | 4 | Password (stored as LSA secret) | Yes | Scheduled tasks |
| Service | 5 | Password (stored as LSA secret) | Yes | Windows services |
| NetworkCleartext | 8 | Password | Yes | IIS Basic Auth (IIS 6.0 and newer);Windows PowerShell with CredSSP |
| NewCredentials | 9 | Password | Yes | RUNAS /NETWORK |
| RemoteInteractive | 10 | Password, Smartcard,other | Yes | Remote Desktop (formerly known as "Terminal Services") |