https://wiki.atomicorp.com/wiki/api.php?action=feedcontributions&user=Cpriester&feedformat=atomAtomicorp Wiki - User contributions [en]2024-03-29T00:12:23ZUser contributionsMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php/HIDS_5302HIDS 53022021-03-30T05:20:51Z<p>Cpriester: </p>
<hr />
<div>'''Rule ID''' <br />
<br />
5302<br />
<br />
'''Status'''<br />
<br />
User missed the password to change UID to root.<br />
<br />
'''Description''' <br />
<br />
This event occurs when a user attempts to switch user contexts to the root account using the 'su root' command and types the wrong root password.<br />
<br />
'''Guidance'''<br />
<br />
Repeated instances of this event could indicate attempted system abuse.<br />
<br />
'''False Positives'''<br />
<br />
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.<br />
<br />
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.<br />
<br />
'''Similar Rules'''<br />
<br />
5301<br />
<br />
'''Knowledge Base Articles'''<br />
<br />
None.<br />
<br />
'''Outside References'''<br />
<br />
None.</div>Cpriesterhttps://wiki.atomicorp.com/wiki/index.php/HIDS_5302HIDS 53022021-03-30T05:20:01Z<p>Cpriester: Created page with "'''Rule ID''' 5302 '''Status''' User missed the password to change UID to root. '''Description''' This event occurs when a user attempts to 'su root' and types the wro..."</p>
<hr />
<div>'''Rule ID''' <br />
<br />
5302<br />
<br />
'''Status'''<br />
<br />
User missed the password to change UID to root.<br />
<br />
'''Description''' <br />
<br />
This event occurs when a user attempts to 'su root' and types the wrong root password.<br />
<br />
'''Guidance'''<br />
<br />
Repeated instances of this event could indicate attempted system abuse.<br />
<br />
'''False Positives'''<br />
<br />
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.<br />
<br />
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.<br />
<br />
'''Similar Rules'''<br />
<br />
5301<br />
<br />
'''Knowledge Base Articles'''<br />
<br />
None.<br />
<br />
'''Outside References'''<br />
<br />
None.</div>Cpriesterhttps://wiki.atomicorp.com/wiki/index.php/HIDS_59229HIDS 592292020-10-21T19:15:49Z<p>Cpriester: /* Description */</p>
<hr />
<div>{{Infobox<br />
|header1 = Rule 59222<br />
|label2 = Status<br />
|data2 = Active<br />
|label3 = Alert Message<br />
|data3 = Logon Failure - Internal error <br />
}} <br />
= Description =<br />
<br />
Windows has detected a logon failure due to an internal error on the affected Windows system.<br />
<br />
== Associated Windows Event IDs ==<br />
<br />
*529<br />
*530<br />
*531<br />
*532<br />
*533<br />
*534<br />
*535<br />
*536<br />
*537<br />
*539<br />
*4625<br />
<br />
== What you should do ==<br />
<br />
This means that the logon system is experiencing an error. This can be because the logon system has failed, is unable to communicate with the AD server(s) or is misconfigured. <br />
<br />
The affected system should be accessed to determine why the logon system is reporting an internal error.<br />
<br />
= Troubleshooting =<br />
<br />
== False Positives ==<br />
<br />
There are no false positives with this rule.<br />
<br />
== Tuning Guidance ==<br />
<br />
There is no guidance for tuning this rule. This rule should not be disabled.<br />
<br />
= Additional Information =<br />
<br />
== Support ==<br />
<br />
If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!<br />
<br />
== Similar Rules ==<br />
<br />
[[HIDS_59222]] Windows: Remote Logon Failure - Unknown user or bad password<br />
<br />
[[HIDS_59223]] Logon Failure - Account logon time restriction violation<br />
<br />
[[HIDS_59224]] Logon Failure - Account currently disabled<br />
<br />
[[HIDS_59225]] Logon Failure - Specified account expired<br />
<br />
[[HIDS_59226]] Logon Failure - User not allowed to login at this computer<br />
<br />
[[HIDS_59227]] Logon Failure - User not granted logon type<br />
<br />
[[HIDS_59228]] Logon Failure - Account's password expired<br />
<br />
[[HIDS_59230]] Logon Failure - Account locked out<br />
<br />
<br />
== Knowledge Base Articles== <br />
<br />
None.<br />
<br />
== Outside References == <br />
<br />
None.<br />
<br />
== Notes ==</div>Cpriester