Windows Event Log - Security Group Management

Event Id	Description
4727	A security-enabled global group was created.
4728	A member was added to a security-enabled global group.
4729	A member was removed from a security-enabled global group.
4730	A security-enabled global group was deleted.
4731	A security-enabled local group was created.
4732	A member was added to a security-enabled local group.
4733	A member was removed from a security-enabled local group.
4734	A security-enabled local group was deleted.
4735	A security-enabled local group was changed.
4737	A security-enabled global group was changed.
4754	A security-enabled universal group was created.
4755	A security-enabled universal group was changed.
4756	A member was added to a security-enabled universal group.
4757	A member was removed from a security-enabled universal group.
4758	A security-enabled universal group was deleted.
4764	A group's type was changed.

Windows Event Log - User Account Management

Event Id	Description
4720	A user account was created.
4722	A user account was enabled.
4723	An attempt was made to change an account's password.
4724	An attempt was made to reset an account's password.
4725	A user account was disabled.
4726	A user account was deleted.
4738	A user account was changed.
4740	A user account was locked out.
4765	SID History was added to an account.
4766	An attempt to add SID History to an account failed.
4767	A user account was unlocked.
4780	The ACL was set on accounts which are members of administrators groups.
4781	The name of an account was changed:
4794	An attempt was made to set the Directory Services Restore Mode.
5376	Credential Manager credentials were backed up.
5377	Credential Manager credentials were restored from a backup.

Brute Force Attack

Brute-force attack: Simple yet difficult 

Understanding what Brute Force Attack is fairly simple, but protecting against it is quite difficult.

Brute Force Attack

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (with some exception). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.

An attack of this nature can be time- and resource-consuming. Hence the name "brute force attack" success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm. However, Encryption is math, and as computers become faster at math, they become faster at trying all the solutions and seeing which one fits.

Defend against Brute Force Attack

• Restrict the use of default usernames and passwords
• Requiring users to have complex passwords
• Limiting the number of times a user can attempt to log in
• Temporarily locking out users who exceed the specified maximum number of login attempts

Detection of Brute Force Attack

With the evolution of faster and more efficient password cracking tools, brute force attacks are on a high against the services of an organization. As a best practice, every organization should configure logging practices for security events so that any possible attack underway will get noticed and treated before the attack succeeds.

To check for brute force pattern, enable auditing on logon events in the Local Security Policy and then feed Windows Security Event log to the SIEM product used.

Below are the correlation search that is created in Splunk and LogPoint against Win:Security logs to monitor real time login attempts. In this search, brute force criteria gets matched with two failure attempts.

Splunk:

sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 2

LogPoint:

MSWinEventLog event_id=4625 -target_user=*$ -caller_user=*$ -failure_code=0x19 | rename target_user as Account, caller_user as user | chart count() as Event by Account | search Event > 2

Struts2 Remote Code Execution vulnerability

CVE-2018-11776 - Struts2 Remote Code Execution vulnerability

According to National Vulnerability Database this vulnerability is still awaiting analysis. About this vulnerability

"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace."

It is to be noted that this vulnerability does not exist with a default configuration of Struts, but in commonly seen configurations for some Struts plugins. Due to this vulnerability Struts improperly validates namespaces, allowing for OGNL injection, and can lead to full remote code execution on the target system.

Recommendations

PoC has already been published and is publicly available. You can very likely expect an active attacks against this vulnerability. It is, therefore, recommened to immediately apply update to Struts version 2.3.35 and 2.5.17.

SIEM Detection

1. Carry out vulnerability scan of your infrastructure and send the output to your SIEM solutions

2. Create a rule to look for cve_id=CVE-2018-11776

Firmware Security: An Overlooked Threat