AApHQYnk

· 5 years ago · Jan 06, 2021, 05:36 PM
1{
2  "_index": "winlogbeat-7.9.2-2020.12.12-000003",
3  "_type": "_doc",
4  "_id": "vHqyr3YBO7lu6D5QiDh2",
5  "_version": 1,
6  "_score": null,
7  "_source": {
8    "@timestamp": "2020-12-29T18:11:14.017Z",
9    "host": {
10      "os": {
11        "name": "Windows Server 2012 R2 Standard Evaluation",
12        "kernel": "6.3.9600.17031 (winblue_gdr.140221-1952)",
13        "build": "9600.0",
14        "platform": "windows",
15        "version": "6.3",
16        "family": "windows"
17      },
18      "id": "8735966b-b42e-4a09-90d3-84c269916fac",
19      "ip": [
20        "fe80::d562:6aac:36c4:84bb",
21        "169.254.132.187",
22        "fe80::94b4:4624:d47a:e3f7",
23        "10.1.1.10",
24        "fe80::5efe:a01:10a",
25        "fe80::5efe:a9fe:84bb"
26      ],
27      "mac": [
28        "00:0c:29:d4:20:97",
29        "00:0c:29:d4:20:8d",
30        "00:00:00:00:00:00:00:e0",
31        "00:00:00:00:00:00:00:e0"
32      ],
33      "hostname": "dcserver",
34      "architecture": "x86_64",
35      "name": "dcserver.pentestlab.net"
36    },
37    "log": {
38      "level": "information"
39    },
40    "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDCSERVER$\n\tAccount Domain:\t\tPENTESTLAB\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t8\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t3d\n\tAccount Domain:\t\t\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x61c\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tDCSERVER\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi  \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
41    "ecs": {
42      "version": "1.5.0"
43    },
44    "agent": {
45      "name": "dcserver",
46      "type": "winlogbeat",
47      "version": "7.9.2",
48      "hostname": "dcserver",
49      "ephemeral_id": "02b14695-6870-416d-a243-6335876f45eb",
50      "id": "1831f908-7dc1-427a-adff-53826c3f23e7"
51    },
52    "winlog": {
53      "provider_name": "Microsoft-Windows-Security-Auditing",
54      "task": "Logon",
55      "opcode": "Info",
56      "event_data": {
57        "KeyLength": "0",
58        "IpPort": "-",
59        "SubjectUserName": "DCSERVER$",
60        "ProcessId": "0x61c",
61        "SubjectUserSid": "S-1-5-18",
62        "Status": "0xc000006d",
63        "SubjectDomainName": "PENTESTLAB",
64        "WorkstationName": "DCSERVER",
65        "SubStatus": "0xc0000064",
66        "TransmittedServices": "-",
67        "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
68        "LogonProcessName": "Advapi  ",
69        "LogonType": "8",
70        "TargetUserName": "3d",
71        "LmPackageName": "-",
72        "ProcessName": "C:\\Windows\\System32\\svchost.exe",
73        "SubjectLogonId": "0x3e7",
74        "TargetUserSid": "S-1-0-0",
75        "IpAddress": "-",
76        "FailureReason": "%%2313"
77      },
78      "channel": "Security",
79      "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
80      "process": {
81        "pid": 560,
82        "thread": {
83          "id": 76
84        }
85      },
86      "event_id": 4625,
87      "keywords": [
88        "Audit Failure"
89      ],
90      "api": "wineventlog",
91      "record_id": 867975,
92      "computer_name": "dcserver.pentestlab.net"
93    },
94    "event": {
95      "created": "2020-12-29T18:11:14.985Z",
96      "outcome": "failure",
97      "kind": "event",
98      "code": 4625,
99      "provider": "Microsoft-Windows-Security-Auditing",
100      "action": "Logon"
101    }
102  },
103  "fields": {
104    "@timestamp": [
105      "2020-12-29T18:11:14.017Z"
106    ],
107    "event.created": [
108      "2020-12-29T18:11:14.985Z"
109    ]
110  },
111  "sort": [
112    1609265474017
113  ]
114}