Y1R2KFT5

· 5 years ago · Jan 06, 2021, 05:20 PM
1{
2    "_index": "winlogbeat-7.9.2-2020.11.12-000002",
3    "_type": "_doc",
4    "_id": "5BBeSHYBYsvnGShfJvrt",
5    "_version": 1,
6    "_score": null,
7    "_source": {
8      "@timestamp": "2020-12-09T16:38:13.092Z",
9      "host": {
10        "id": "8ae5d860-7c22-4098-ac15-ac9d59ae9212",
11        "ip": [
12          "10.1.1.135",
13          "fe80::5efe:a01:187"
14        ],
15        "mac": [
16          "00:0c:29:14:95:f8",
17          "00:00:00:00:00:00:00:e0"
18        ],
19        "hostname": "metasploitable3-win2k8",
20        "architecture": "x86_64",
21        "os": {
22          "build": "7601.0",
23          "platform": "windows",
24          "version": "6.1",
25          "family": "windows",
26          "name": "Windows Server 2008 R2 Standard",
27          "kernel": "6.1.7601.17514 (win7sp1_rtm.101119-1850)"
28        },
29        "name": "metasploitable3-win2k8.pentestlab.net"
30      },
31      "ecs": {
32        "version": "1.5.0"
33      },
34      "agent": {
35        "version": "7.9.2",
36        "hostname": "metasploitable3-win2k8",
37        "ephemeral_id": "2021f0e4-f2d7-44ba-99ab-97c85f5b5052",
38        "id": "72d895a1-f704-4da5-83f6-814b559d59d4",
39        "name": "metasploitable3-win2k8",
40        "type": "winlogbeat"
41      },
42      "log": {
43        "level": "information"
44      },
45      "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t\n\tAccount Domain:\t\t.\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xc000006d\n\tSub Status:\t\t0xc0000064\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\tHwL0UgakoQ77iSLT\n\tSource Network Address:\t10.8.0.7\n\tSource Port:\t\t54940\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
46      "winlog": {
47        "provider_name": "Microsoft-Windows-Security-Auditing",
48        "task": "Logon",
49        "opcode": "Info",
50        "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
51        "event_data": {
52          "LogonType": "3",
53          "IpPort": "54940",
54          "Status": "0xc000006d",
55          "WorkstationName": "HwL0UgakoQ77iSLT",
56          "SubjectDomainName": "-",
57          "TargetDomainName": ".",
58          "ProcessName": "-",
59          "LmPackageName": "-",
60          "SubjectUserSid": "S-1-0-0",
61          "TargetUserSid": "S-1-0-0",
62          "ProcessId": "0x0",
63          "TransmittedServices": "-",
64          "KeyLength": "0",
65          "SubjectLogonId": "0x0",
66          "SubStatus": "0xc0000064",
67          "LogonProcessName": "NtLmSsp ",
68          "IpAddress": "10.8.0.7",
69          "SubjectUserName": "-",
70          "FailureReason": "%%2313",
71          "AuthenticationPackageName": "NTLM"
72        },
73        "event_id": 4625,
74        "computer_name": "metasploitable3-win2k8.pentestlab.net",
75        "process": {
76          "thread": {
77            "id": 4912
78          },
79          "pid": 464
80        },
81        "api": "wineventlog",
82        "keywords": [
83          "Audit Failure"
84        ],
85        "channel": "Security",
86        "record_id": 101250
87      },
88      "event": {
89        "created": "2020-12-09T16:38:15.604Z",
90        "outcome": "failure",
91        "kind": "event",
92        "code": 4625,
93        "provider": "Microsoft-Windows-Security-Auditing",
94        "action": "Logon"
95      }
96    },
97    "fields": {
98      "@timestamp": [
99        "2020-12-09T16:38:13.092Z"
100      ],
101      "event.created": [
102        "2020-12-09T16:38:15.604Z"
103      ]
104    },
105    "highlight": {
106      "winlog.event_data.IpAddress": [
107        "@kibana-highlighted-field@10.8.0.7@/kibana-highlighted-field@"
108      ]
109    },
110    "sort": [
111      1607531893092
112    ]
113  }