[BUG] ESCU - Detect Excessive Account Lockouts From Endpoint

Question

[BUG] ESCU - Detect Excessive Account Lockouts From Endpoint

githubonlyy opened this issue a year ago · 4 comments

githubonlyy commented a year ago

If you have a Splunk Support contract, creating a support case for your issue may result in faster resolution.

Describe the bug

The Caller Computer Name is not extracted in the alert only the domain controller

Expected behavior

The Caller Computer Name should be displayed has the source of the lockouts

Screenshots

If applicable, add screenshots to help explain your problem.

App Version:

ESCU: [e.g. 4.17.0]
Splunk Security Essentials: [e.g. 3.7.1]

Additional context

I tested and locked out 6 accounts from 1 workstation and realized that the dest field was referring to the domain controller and not to the caller workstation

Examples of 4740
A user account was locked out.

Subject:

Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Account That Was Locked Out:

Security ID: WIN-R9H529RIO4Y\John
Account Name: John

Additional Information:

Caller Computer Name: WIN-R9H529RIO4Y
After that I saw that the dm dosent support this field which seems to be relavent to the src..

Answer 1 · 2024-01-25T00:52:06.000Z

Hello @githubonlyy :
We tested this detection with the given attack data and noticed that we do not have the field called Caller Computer Name in our logs

It seems like the Windows TAlogs are not mapping Caller Computer Name to src or dest

Do you have a recommended SPL and a screenshot of how that would looks like will help better with understanding the ask!

Answer 2 · 2024-01-25T00:53:07.000Z

Did you want src as an output in the SPL. Here's what is looks like in our test env

Answer 3 · 2024-01-25T08:13:49.000Z

Exactly, has you see it is unknown when it should be the source computer that the lockout occurs on ‫בתאריך יום ה׳, 25 בינו׳ 2024 ב-2:53 מאת ‪Bhavin Patel‬‏ <‪ ***@***.***‬‏>:‬

…

Did you want src as an output in the SPL. Here's what is looks like in our test env image.png (view on web) <https://github.com/splunk/security_content/assets/7771446/281314e4-7dd3-4fba-aef9-bffda3b6bc94> — Reply to this email directly, view it on GitHub <#2929 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZBEAWNWLEDDFAN524IG4ZTYQGUH5AVCNFSM6AAAAABAUPC222VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBZGE3DONRSGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 4 · 2024-12-13T00:05:18.000Z

@githubonlyy : This detection has been updated to use datamodel and to correctly showcase on what destination the lock out has occurred. The current windows TA maps it to the dest field which is where the lock out has occurred.
Caller Computer Name: is empty as it is not present in the raw event itself and hence should not be used as src

Feel free to re open this issue if the detection doesnt work as expected.

Updated detection -
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5