Difference between revisions of "HIDS 18130"
Line 23: | Line 23: | ||
Logon Type: | Logon Type: | ||
This is a valuable piece of information as it tells you HOW the user just logged on: | This is a valuable piece of information as it tells you HOW the user just logged on: | ||
− | + | ||
Description | Description | ||
+ | |||
2 Interactive (logon at keyboard and screen of system) | 2 Interactive (logon at keyboard and screen of system) | ||
+ | |||
3 Network (i.e. connection to shared folder on this computer from elsewhere on network) | 3 Network (i.e. connection to shared folder on this computer from elsewhere on network) | ||
+ | |||
4 Batch (i.e. scheduled task) | 4 Batch (i.e. scheduled task) | ||
+ | |||
5 Service (Service startup) | 5 Service (Service startup) | ||
+ | |||
7 Unlock (i.e. unnattended workstation with password protected screen saver) | 7 Unlock (i.e. unnattended workstation with password protected screen saver) | ||
+ | |||
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. | 8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. | ||
− | 9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections." | + | |
+ | 9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track | ||
+ | users attempting to logon with alternate credentials see 4648. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new | ||
+ | logon session has the same local identity, but uses different credentials for other network connections." | ||
+ | |||
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) | 10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) | ||
+ | |||
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network) | 11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network) | ||
Revision as of 10:06, 3 June 2019
Rule ID
18130
Status
Active rule currently published.
Description
This rule is detects when an account failed to log on.
Description Fields
Subject: Identifies the account that requested the logon - NOT the user who just attempted logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the system.
Security ID Account Name Account Domain Logon ID
Logon Type: This is a valuable piece of information as it tells you HOW the user just logged on:
Description
2 Interactive (logon at keyboard and screen of system)
3 Network (i.e. connection to shared folder on this computer from elsewhere on network)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
7 Unlock (i.e. unnattended workstation with password protected screen saver)
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.
9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track
users attempting to logon with alternate credentials see 4648. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections."
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
Account For Which Logon Failed: This identifies the user that attempted to logon and failed.
Security ID: The SID of the account that attempted to logon. This blank or NULL SID if a valid account was not identified - such as where the username specified does not correspond to a valid account logon name. Account Name: The account logon name specified in the logon attempt. Account Domain: The domain or - in the case of local accounts - computer name.
Network Information: This section identifies where the user was when he logged on. Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers.
Workstation Name: The computer name of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. Workstation may also not be filled in for some Kerberos logons since the Kerberos protocol doesn't really care about the computer account in the case of user logons and therefore lacks any field for carrying workstation name in the ticket request message. Source Network Address: The IP address of the computer where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user. If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer's actual IP address. This field is also blank sometimes because Microsoft says "Not every code path in Windows Server 2003 is instrumented for IP address, so it's not always filled out." Source Port: Identifies the source TCP port of the logon request which seems useless since with most protocols' source ports are random.
False Positives
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
Tuning Recommendations
If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Similar Rules
Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures."
Knowledge Base Articles
None.
Outside References https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625#fields