Difference between revisions of "HIDS 59227"

From Atomicorp Wiki
Jump to: navigation, search
m (Associated Windows Event IDs)
m (Logon types)
 
(3 intermediate revisions by one user not shown)
Line 8: Line 8:
 
= Description =
 
= Description =
  
Windows has detected that a system has attempted to log an account where they have not been granted the logon type.
+
Windows has detected that a system has attempted to log an account where they have not been granted the logon type.  The logon otherwise succeeded (the username, password and/or other credentials are valid).  The account is simply not allowed to logon in as this type of logon.
  
 
== Associated Windows Event IDs ==
 
== Associated Windows Event IDs ==
Line 29: Line 29:
 
   
 
   
 
2– Network - This logon happens when you’re accessing file shares using SMB for example.
 
2– Network - This logon happens when you’re accessing file shares using SMB for example.
 +
 
3– Batch - This is used for scheduled tasks.
 
3– Batch - This is used for scheduled tasks.
  
Line 42: Line 43:
  
 
9– Cached Interactive - This is logged when users log on using cached credentials.
 
9– Cached Interactive - This is logged when users log on using cached credentials.
 +
 +
== Examples ==
 +
 +
For example, the account INTERN cannot run as a batch process (logon type 2) because the user is just an intern and should not be attempt to login as a batch process.
  
 
== What you should do ==
 
== What you should do ==
  
This may indicate an attack, and the source should be investigated.  Check the GUI for other events from the sources IP.
+
If this is authorized behavior, update the users account configuration to allow this logon type.  If this is not expected or authorized behavior, this may indicate an attack, and the source should be investigated.  Check the GUI for other events from the sources IP.
  
The platform will track this logon, and if multiple events occur will issue a higher level alert that a brute force attack may be occurring.
+
The platform will track this logon, and if multiple events occur will issue a higher level alert that a brute force attack may be occurring.
  
 
= Troubleshooting =
 
= Troubleshooting =

Latest revision as of 17:01, 20 October 2020

Rule 59222
Status Active
Alert Message Logon Failure - User not granted logon type

Contents

[edit] Description

Windows has detected that a system has attempted to log an account where they have not been granted the logon type. The logon otherwise succeeded (the username, password and/or other credentials are valid). The account is simply not allowed to logon in as this type of logon.

[edit] Associated Windows Event IDs

  • 529
  • 530
  • 531
  • 532
  • 533
  • 534
  • 535
  • 536
  • 537
  • 539
  • 4625

[edit] Logon types

1 – Interactive Console Logons

2– Network - This logon happens when you’re accessing file shares using SMB for example.

3– Batch - This is used for scheduled tasks.

4– Service - This is used for services and service accounts that log on to start a service.

5– Unlock - This is used whenever a user unlocks their machine.

6– Network Cleartext - This is used when logging on over the network - when the password is sent in clear text (should happen to you!)

7– New Credentials - This is used when you run an application using the RunAs command.

8– Remote Interactive - This is used for the RDP applications like Terminal Services or Remote Assistance.

9– Cached Interactive - This is logged when users log on using cached credentials.

[edit] Examples

For example, the account INTERN cannot run as a batch process (logon type 2) because the user is just an intern and should not be attempt to login as a batch process.

[edit] What you should do

If this is authorized behavior, update the users account configuration to allow this logon type. If this is not expected or authorized behavior, this may indicate an attack, and the source should be investigated. Check the GUI for other events from the sources IP.

The platform will track this logon, and if multiple events occur will issue a higher level alert that a brute force attack may be occurring.

[edit] Troubleshooting

[edit] False Positives

There are no false positives with this rule.

[edit] Tuning Guidance

There is no guidance for tuning this rule, this is a generic Windows error and the rule should not be disabled.

[edit] Additional Information

[edit] Support

If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!

[edit] Similar Rules

HIDS_59222 Windows: Remote Logon Failure - Unknown user or bad password

HIDS_59223 Logon Failure - Account logon time restriction violation

HIDS_59224 Logon Failure - Account currently disabled

HIDS_59225 Logon Failure - Specified account expired

HIDS_59226 Logon Failure - User not allowed to login at this computer

HIDS_59228 Logon Failure - Account's password expired

HIDS_59229 Logon Failure - Internal error

HIDS_59230 Logon Failure - Account locked out


[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

Personal tools