Event Id | Description |
4727 | A security-enabled global group was created. |
4728 | A member was added to a security-enabled global group. |
4729 | A member was removed from a security-enabled global group. |
4730 | A security-enabled global group was deleted. |
4731 | A security-enabled local group was created. |
4732 | A member was added to a security-enabled local group. |
4733 | A member was removed from a security-enabled local group. |
4734 | A security-enabled local group was deleted. |
4735 | A security-enabled local group was changed. |
4737 | A security-enabled global group was changed. |
4754 | A security-enabled universal group was created. |
4755 | A security-enabled universal group was changed. |
4756 | A member was added to a security-enabled universal group. |
4757 | A member was removed from a security-enabled universal group. |
4758 | A security-enabled universal group was deleted. |
4764 | A group's type was changed. |
This blog contains notes from different learning sites. This notes falls in Information Security, Cyber Security, Network Security and other Security Domain class. Any suggestion to make this site helpful is truly welcome :)
Saturday, March 23, 2019
Windows Event Log - User Account Management
Event Id | Description |
4720 | A user account was created. |
4722 | A user account was enabled. |
4723 | An attempt was made to change an account's password. |
4724 | An attempt was made to reset an account's password. |
4725 | A user account was disabled. |
4726 | A user account was deleted. |
4738 | A user account was changed. |
4740 | A user account was locked out. |
4765 | SID History was added to an account. |
4766 | An attempt to add SID History to an account failed. |
4767 | A user account was unlocked. |
4780 | The ACL was set on accounts which are members of administrators groups. |
4781 | The name of an account was changed: |
4794 | An attempt was made to set the Directory Services Restore Mode. |
5376 | Credential Manager credentials were backed up. |
5377 | Credential Manager credentials were restored from a backup. |
Friday, March 22, 2019
Brute Force Attack
Brute-force attack: Simple yet difficult
Understanding what Brute Force Attack is fairly simple, but protecting against it is quite difficult.
Brute Force Attack
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (with some exception). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.
For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.
An attack of this nature can be time- and resource-consuming. Hence the name "brute force attack" success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm. However, Encryption is math, and as computers become faster at math, they become faster at trying all the solutions and seeing which one fits.
Defend against Brute Force Attack
- Restrict the use of default usernames and passwords
- Requiring users to have complex passwords
- Limiting the number of times a user can attempt to log in
- Temporarily locking out users who exceed the specified maximum number of login attempts
Detection of Brute Force Attack
With the evolution of faster and more efficient password cracking tools, brute force attacks are on a high against the services of an organization. As a best practice, every organization should configure logging practices for security events so that any possible attack underway will get noticed and treated before the attack succeeds.
To check for brute force pattern, enable auditing on logon events in the Local Security Policy and then feed Windows Security Event log to the SIEM product used.
Below are the correlation search that is created in Splunk and LogPoint against Win:Security logs to monitor real time login attempts. In this search, brute force criteria gets matched with two failure attempts.
Splunk:
sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 2
LogPoint:
MSWinEventLog event_id=4625 -target_user=*$ -caller_user=*$ -failure_code=0x19 | rename target_user as Account, caller_user as user | chart count() as Event by Account | search Event > 2
Thursday, March 21, 2019
Struts2 Remote Code Execution vulnerability
CVE-2018-11776 - Struts2 Remote Code Execution vulnerability
According to National Vulnerability Database this vulnerability is still awaiting analysis. About this vulnerability
"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace."
It is to be noted that this vulnerability does not exist with a default configuration of Struts, but in commonly seen configurations for some Struts plugins. Due to this vulnerability Struts improperly validates namespaces, allowing for OGNL injection, and can lead to full remote code execution on the target system.
Recommendations
PoC has already been published and is publicly available. You can very likely expect an active attacks against this vulnerability. It is, therefore, recommened to immediately apply update to Struts version 2.3.35 and 2.5.17.
SIEM Detection
1. Carry out vulnerability scan of your infrastructure and send the output to your SIEM solutions
2. Create a rule to look for cve_id=CVE-2018-11776
Subscribe to:
Posts (Atom)