Use the username of failed logons seen in the Windows Security logs to alert on clear-text passwords of authorized users.
Ever been distracted and ended up typing your password in the username/email field? Ever wonder where there logs go? Well, I'm pretty sure all failed (and successful) logons get logged somewhere. Using these logs, an insider doesn't need to worry about cracking hashes. They just need to wait for the right time (early Monday morning or when you're rushing back from lunch) to get your password for free because you'll blindly provide it to them. And not just at work either. This could happen when logging into any account (banks, shopping, school, etc.).
What is the solution?
- If you are running a Windows 10 shop, use Protected Event Logging.
- Or, Deny administrators the privilege to create usernames with high entropy and passwords with low entropy.
- Or, Harden the logon process. Don't allow it to accept/log failed logons attempts of usernames with high entropy.
Problem solved?
Not quite. What happens if you are using a log aggregator like Splunk and those protected logs now have to become visible to detect threats? The best solution is to alert the System Administrator as soon as possible. No matter if it's internal, no one should know it except for the user.
To determine possible passwords and usernames:
- Start with the first failed logon (EventCode 4625)
- Calculate the entropy of the string in the User field
- If the entropy is high, add it to a list and mark it as a possible password
- Add all of the successful logons that follow from the same source as potential usernames to use
- Continue this loop until the entire log file is read
Muahahahahaha!!!!!!
Now you can use this evil theory for good and alert when these events take place in your environment.
- Git
- Python 2.7.14
- Python Pip
- PasswordMeter
In Splunk Web:
- Navigate to
Find More Apps
- Search for
Aisle25
- Identify the app and click
Install
- Login with your Splunk.com credentials
- Click
Restart Now
- Click
Open App
- Open a terminal and run the following commands:
cd <SPLUNK_HOME>/etc/apps/Aisle25/bin
bash py_pkg_update.sh
Open a terminal and run the following commands:
cd <SPLUNK_HOME>/etc/apps
git clone https://github.com/ecstatic-nobel/Aisle25.git
cd Aisle25/bin
bash py_pkg_update.sh
Restart Splunk.
In Splunk:
- Switch to the PwdLeak dashboard in the Aisle25™ app.
- Enter the base search in the
Base Search
text box (default:sourcetype=wineventlog EventCode IN (4624, 4625)
). - Choose the time constraint for the logs you want to analyze.
- Click
Submit
.
The output of the base search should be a table with a minimum of the following case-sensitive fields:
- _time
- EventCode
- Account_Domain
- Account_Name
- ComputerName
- Source_Network_Address
The panel to the bottom left will show the raw logs formatted as a table with the required fields. The panel to the bottom right are the results containing possible usernames and passwords. The most efficient way to use this is to setup alerts for when these events take place on your network and notify the System Administrators so they can take action to reset the password.
To remove the project completely, run the following commands:
cd $SPLUNK_HOME/etc/apps
rm -rf Aisle25
Finally, restart Splunk.
- Be responsible!!!
- Password with a comma will not be detected