[DFSci] (no subject)

Brunty, Josh josh.brunty at marshall.edu
Thu Aug 1 19:42:33 PDT 2019 

Beginning in Win2K8 and on, EventID codes were merged into only a few different ID's (compared to XP which had nearly 2 dozen EventID's).  The 4625 eventID you mentioned indeed indicate logon failures and are common ID's generated for brute force/password guessing attacks. That said, here's some other EventID's you might want to focus on:

4624- Successful Logon
4625- Failed Logon
4634/4647- Successful logoff (Note: Windows doesn't always reliably record 4634 events so also look for 4647 events, which are user-initiated logoffs for interactive logins).
4648- Logon using explicit credentials (also known as RunAs, or if the application is run as the administrator and those admin credentials are entered by the user).
4672- Account Logon with superuser (Administrator) rights
4720- Account was created

Here's a great link with all of the EventID's including those above:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ 

Another item to possibly focus on is the "Logon Type." I'm assuming by your reference to the 4625 events that you have access to EVTX logs so for each login event you should see an entry for "Logon Type." Typically it's a number between 2-13. These event codes can give you very specific information on "how" the login occurred.  For example, a Login Type Code 10 indicates a Remote Interactive Logon (i.e. Terminal Services/Remote Desktop).  I've found these to be extremely helpful to me in determining the "soup-to-nuts" per-se of how the logon process actually went down.  

Here's a good resource of all of these different codes. 
http://techgenix.com/Logon-Types/  

I hope these little tidbits help you out some.  If you need some more guidance please don't hesitate at all to contact me off-list and I'll be glad to help you out in any way I can.

Regards,
Josh

Josh Brunty
Professor- Digital Forensics & Information Assurance
Marshall University
Email: josh.brunty at marshall.edu
Office: 304-691-8962

On 8/1/19, 7:39 PM, "DFSci on behalf of Mcleod S" <dfsci-bounces at lists.dfrws.org on behalf of fe0742 at gmail.com> wrote:

    Hello,
    
    We have a windows machine that we’ve identified multiple event IDs 4625.
    It appears to be a brute force attack.    Can anyone please recommend any
    documentation or resource that would show which artifacts should be
    examined next to determine if the attack was successful and if any changes
    were made to the machine.  I know this is a broad question but we’re really
    just looking for a “next steps to take” sort of guide.
    
    Thanks
    _______________________________________________
    DFSci mailing list
    DFSci at lists.dfrws.org
    
    Manage your subscription at:
    https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.dfrws.org%2flistinfo.cgi%2fdfsci-dfrws.org&c=E,1,NvYgpetmNwx-fd7Hn3zmOh7OSUxwKJYifhBiS1cqmBpMTSsD_M8E7QglCo_SV8naj-l6pHlqSmiefhwbDNQXGWyDMbZ_zylY7rWPCHdpKKvDC0BF&typo=1

More information about the DFSci mailing list