TFxdrTum

· 6 years ago · Apr 15, 2020, 12:20 PM
1{
2   "@timestamp" : "2020-04-06T05:55:54.497Z",
3   "message" : "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tWORKGROUP\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC000006A\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t172.16.103.6\n\tSource Port:\t\t39457\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
4   "@version" : "1",
5   "host" : {
6      "name" : "midserver01",
7      "hostname" : "midserver01",
8      "architecture" : "x86_64",
9      "os" : {
10         "platform" : "windows",
11         "name" : "Windows Server 2016 Standard",
12         "build" : "14393.3595",
13         "kernel" : "10.0.14393.3595 (rs1_release_inmarket.200312-1730)",
14         "version" : "10.0",
15         "family" : "windows"
16      },
17      "id" : "01f28f14-0f46-4b90-aeb2-d6903178e1f4"
18   },
19   "event" : {
20      "type" : "authentication_failure",
21      "action" : "logon-failed",
22      "created" : "2020-04-15T12:13:27.792Z",
23      "outcome" : "failure",
24      "code" : 4625,
25      "kind" : "event",
26      "module" : "security",
27      "category" : "authentication",
28      "provider" : "Microsoft-Windows-Security-Auditing"
29   },
30   "user" : {
31      "id" : "S-1-0-0",
32      "name" : "administrator",
33      "domain" : "WORKGROUP"
34   },
35   "shipper" : "monp1",
36   "agent" : {
37      "ephemeral_id" : "3f9d482d-7354-4988-bd5b-b5bc0f554e90",
38      "hostname" : "midserver01",
39      "version" : "7.6.2",
40      "type" : "winlogbeat",
41      "id" : "4e302e67-05bf-4950-9c87-5f350f48aeac"
42   },
43   "env" : "customer1",
44   "application" : "app1",
45   "log" : {
46      "level" : "information"
47   },
48   "process" : {
49      "pid" : 0,
50      "name" : "-",
51      "executable" : "-"
52   },
53   "source" : {
54      "ip" : "172.16.103.6",
55      "port" : 39457,
56      "domain" : "-"
57   },
58   "ecs" : {
59      "version" : "1.4.0"
60   },
61   "tags" : [
62      "winlogbeat",
63      "windows",
64      "nonssl",
65      "beats_input_codec_plain_applied"
66   ],
67   "winlog" : {
68      "event_id" : 4625,
69      "event_data" : {
70         "SubjectUserName" : "-",
71         "AuthenticationPackageName" : "NTLM",
72         "TransmittedServices" : "-",
73         "SubjectUserSid" : "S-1-0-0",
74         "SubjectLogonId" : "0x0",
75         "SubjectDomainName" : "-",
76         "LogonType" : "3",
77         "KeyLength" : "0",
78         "SubStatus" : "0xc000006a",
79         "Status" : "0xc000006d",
80         "FailureReason" : "%%2313",
81         "TargetUserName" : "administrator",
82         "LogonProcessName" : "NtLmSsp ",
83         "TargetUserSid" : "S-1-0-0",
84         "LmPackageName" : "-",
85         "TargetDomainName" : "WORKGROUP"
86      },
87      "api" : "wineventlog",
88      "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}",
89      "computer_name" : "midserver01",
90      "task" : "Logon",
91      "channel" : "Security",
92      "opcode" : "Info",
93      "activity_id" : "{AD0AF2AB-038E-0001-C0F2-0AAD8E03D601}",
94      "process" : {
95         "pid" : 556,
96         "thread" : {
97            "id" : 5404
98         }
99      },
100      "record_id" : 128200,
101      "keywords" : [
102         "Audit Failure"
103      ],
104      "provider_name" : "Microsoft-Windows-Security-Auditing",
105      "logon" : {
106         "type" : "Network",
107         "failure" : {
108            "sub_status" : "User logon with misspelled or bad password",
109            "status" : "This is either due to a bad username or authentication information",
110            "reason" : "Unknown user name or bad password."
111         }
112      }
113   },
114   "type" : "windows"
115}