search

devnulli / EvlWatcher

a "fail2ban" style modular log file analyzer for windows
MIT License
416 stars 51 forks source link

Task "BlockRDPBrutersBySecurity4625" block SMB share access #93

Closed guillotjeremy closed 2 years ago

guillotjeremy commented 2 years ago

Hello,

I have several servers in WORKGROUP which are protected by EvlWatcher.

When I try to access these servers through Windows Explorer from a machine that is connected to a domain, I have a lot of event id 4625 (0xC0000064: Unknown user name or bad password) in the Security logs of the server .

Indeed, before showing me the credentials prompt, my machine first tries to connect with the account with which I am connected on my machine. So EvlWatcher bans my ip address.

How to do without disabling the "BlockRDPBrutersBySecurity4625" task?

Thanks

devnulli commented 2 years ago

Could you post an example log entry?

guillotjeremy commented 2 years ago

image

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4625</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2022-04-06T16:20:21.743232300Z" /> 
  <EventRecordID>13303</EventRecordID> 
  <Correlation ActivityID="{63A5118B-49D1-0001-A411-A563D149D801}" /> 
  <Execution ProcessID="680" ThreadID="1036" /> 
  <Channel>Security</Channel> 
  <Computer>SERVER-01</Computer> 
  <Security /> 
  </System>
  <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data> 
  <Data Name="SubjectUserName">-</Data> 
  <Data Name="SubjectDomainName">-</Data> 
  <Data Name="SubjectLogonId">0x0</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">user</Data> 
  <Data Name="TargetDomainName">DOMAIN.LOCAL</Data> 
  <Data Name="Status">0xc000006d</Data> 
  <Data Name="FailureReason">%%2313</Data> 
  <Data Name="SubStatus">0xc0000064</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">NtLmSsp</Data> 
  <Data Name="AuthenticationPackageName">NTLM</Data> 
  <Data Name="WorkstationName">WIN10-PC</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x0</Data> 
  <Data Name="ProcessName">-</Data> 
  <Data Name="IpAddress">172.16.56.54</Data> 
  <Data Name="IpPort">52201</Data> 
  </EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4776</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14336</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2022-04-06T16:20:21.742991300Z" /> 
  <EventRecordID>13302</EventRecordID> 
  <Correlation ActivityID="{63A5118B-49D1-0001-A411-A563D149D801}" /> 
  <Execution ProcessID="680" ThreadID="1036" /> 
  <Channel>Security</Channel> 
  <Computer>SERVER-01</Computer> 
  <Security /> 
  </System>
  <EventData>
  <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data> 
  <Data Name="TargetUserName">user</Data> 
  <Data Name="Workstation">WIN10-PC</Data> 
  <Data Name="Status">0xc0000064</Data> 
  </EventData>
</Event>
devnulli commented 2 years ago

if whitelisting your subnet is not an option, you could purposedly fail at an rdp logon, and compare the event log entries. if there is anything that distincts the RDP logon from the AD logon, you could try to alter the booster or the regex.