Project

General

Profile

Bug #215

ntsyslog.rules does not detect domain login events

Added by over 12 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Start date:
Due date:
% Done:

0%

Resolution:

Description

The ruleset appears to detect only host-based login attempts rather than login attempts against a domain.

event id 675: (bad password)

security[failure] 675 NT AUTHORITY\SYSTEM Pre-authentication failed: User Name:mike User ID: %{x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxx} Service Name:krbtgt/HQ Pre-Authentication Type:0x2 Failure Code:0x18 Client
Address:10.120.120.152

more info: http://www.ultimatewindowssecurity.com/events/com298.html

History

#1 Updated by over 12 years ago

  • Status changed from New to Assigned

#2 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (93)

#3 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Target version set to 0.9.15

#4 Updated by Jean-Charles ROGEZ about 6 years ago

  • Assignee deleted (59)
  • Target version changed from 0.9.15 to 121

#5 Updated by Thomas ANDREJAK about 4 years ago

  • Target version changed from 121 to Prelude OSS 3.0.0

#6 Updated by Thomas ANDREJAK over 3 years ago

  • Target version changed from Prelude OSS 3.0.0 to Prelude OSS 3.1.0

#7 Updated by Thomas ANDREJAK about 3 years ago

  • Status changed from Assigned to New
  • Target version changed from Prelude OSS 3.1.0 to Prelude OSS 4.0.0

#8 Updated by Thomas ANDREJAK about 2 years ago

  • Target version changed from Prelude OSS 4.0.0 to Prelude OSS 4.1.0

Also available in: Atom PDF